diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index e577ffc5b1175..73b900fda22f9 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -18288,6 +18288,68 @@ paths: summary: Update an agent policy tags: - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: 'Get auto upgrade agent status

[Required authorization] Route required privileges: fleet-agents-read.' + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + currentVersions: + items: + additionalProperties: false + type: object + properties: + agents: + type: number + failedUpgradeAgents: + type: number + version: + type: string + required: + - version + - agents + - failedUpgradeAgents + type: array + totalAgents: + type: number + required: + - currentVersions + - totalAgents + '400': + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + summary: Get auto upgrade agent status + tags: + - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/copy: post: description: Copy an agent policy by ID. diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index b63243d8114e3..1cd0842fb2995 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -2,36 +2,64 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: | - The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. + description: > + The Kibana REST APIs enable you to manage resources such as connectors, data + views, and saved objects. + The API calls are stateless. - Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the + + Each request that you make happens in isolation from other calls and must + include all of the necessary information for Kibana to fulfill the + request. - API requests return JSON output, which is a format that is machine-readable and works well for automation. + + API requests return JSON output, which is a format that is machine-readable + and works well for automation. + To interact with Kibana APIs, use the following operations: + - GET: Fetches the information. + - PATCH: Applies partial modifications to the existing information. + - POST: Adds new information. + - PUT: Updates the existing information. + - DELETE: Removes the information. - You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. + + You can prepend any Kibana API endpoint with `kbn:` and run the request in + **Dev Tools → Console**. + For example: + ``` + GET kbn:/api/data_views + ``` - For more information about the console, refer to [Run API requests](https://www.elastic.co/guide/en/kibana/current/console-kibana.html). - NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. + For more information about the console, refer to [Run API + requests](https://www.elastic.co/guide/en/kibana/current/console-kibana.html). + + + NOTE: Access to internal Kibana API endpoints will be restricted in Kibana + version 9.0. Please move any integrations to publicly documented APIs. + ## Documentation source and versions - This documentation is derived from the `8.x` branch of the [kibana](https://github.com/elastic/kibana) repository. - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + + This documentation is derived from the `8.x` branch of the + [kibana](https://github.com/elastic/kibana) repository. + + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 + International](https://creativecommons.org/licenses/by-nc-nd/4.0/). title: Kibana APIs version: 1.0.2 x-doc-license: @@ -39,220 +67,21 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: >- + https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: + - url: http://{kibana_host}:{port} + variables: + kibana_host: + default: localhost + port: + default: '5601' + - url: http://localhost:5622 + - url: / - url: https://{kibana_url} variables: kibana_url: default: localhost:5601 -security: - - apiKeyAuth: [] - - basicAuth: [] -tags: - - name: alerting - description: | - Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. - externalDocs: - description: Alerting documentation - url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts - x-displayName: Alerting - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: | - Configure APM agent keys to authorize requests from APM agents to the APM Server. - name: APM agent keys - - description: | - Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: Configure APM source maps. - name: APM sourcemaps - - description: | - Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. - name: cases - externalDocs: - description: Cases documentation - url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases - x-displayName: Cases - - name: connectors - description: | - Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. - externalDocs: - description: Connector documentation - url: https://www.elastic.co/docs/reference/kibana/connectors-kibana - x-displayName: Connectors - - name: Dashboards - - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. - name: data views - x-displayName: Data views - - description: | - Programmatically integrate with Logstash configuration management. - > warn - > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. - externalDocs: - description: Centralized pipeline management - url: https://www.elastic.co/guide/en/logstash/current/logstash-centralized-pipeline-management.html - name: logstash - x-displayName: Logstash configuration management - - description: Machine learning - name: ml - x-displayName: Machine learning - - name: roles - x-displayName: Roles - description: Manage the roles that grant Elasticsearch and Kibana privileges. - externalDocs: - description: Kibana role management - url: https://www.elastic.co/guide/en/kibana/8.x/kibana-role-management.html - - description: | - Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. - - To manage a specific type of saved object, use the corresponding APIs. - For example, use: - - * [Data views](../group/endpoint-data-views) - * [Spaces](https://www.elastic.co/guide/en/kibana/current/spaces-api.html) - * [Short URLs](https://www.elastic.co/guide/en/kibana/current/short-urls-api.html) - - Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions - name: saved objects - x-displayName: Saved objects - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: | - Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. - - This API supports both key-based authentication and basic authentication. - - To use key-based authentication, create an API key, then specify the key in the header of your API calls. - - To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. - - In both cases, the API key is subsequently used for authorization when the rule runs. - > warn - > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. - - > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. - - To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: | - Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. - - Exceptions are made up of: - - * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. - * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. - - For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. - > info - > You cannot use lists with endpoint rule exceptions. - - > info - > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. - - ## Exceptions requirements - - Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: | - Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. - - Lists are made up of: - - * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception prevents an alert from being generated. - - All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: - 1. `192.168.1.1` - 2. `192.168.1.3` - 3. `192.168.1.18` - 4. `192.168.1.12` - 5. `192.168.1.7` - - To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. - > info - > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. - - ## Lists requirements - - Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: Manage Kibana short URLs. - name: short url - x-displayName: Short URLs - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - x-displayName: Service level objectives - - name: spaces - x-displayName: Spaces - description: Manage your Kibana spaces. - externalDocs: - url: https://www.elastic.co/guide/en/kibana/8.x/xpack-spaces.html - description: Space overview - - name: synthetics - x-displayName: Synthetics - externalDocs: - description: Synthetic monitoring - url: https://www.elastic.co/guide/en/observability/current/monitor-uptime-synthetics.html - - name: system - x-displayName: System - description: | - Get information about the system status, resource usage, features, and installed plugins. - - externalDocs: - description: Task manager - url: https://www.elastic.co/guide/en/kibana/current/task-manager-production-considerations.html - name: task manager - x-displayName: Task manager - - description: Check the upgrade status of your Elasticsearch cluster and reindex indices that were created in the previous major version. The assistant helps you prepare for the next major version of Elasticsearch. - name: upgrade - x-displayName: Upgrade assistant - - externalDocs: - description: Uptime monitoring - url: https://www.elastic.co/guide/en/observability/current/uptime-intro.html - name: uptime - x-displayName: Uptime - - name: user session - x-displayName: User session management paths: /api/actions: get: @@ -323,10 +152,15 @@ paths: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. type: boolean is_system_action: - description: Indicates whether the connector is used for system actions. + description: >- + Indicates whether the connector is used for system + actions. type: boolean name: description: ' The name of the rule.' @@ -401,10 +235,15 @@ paths: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. type: boolean is_system_action: - description: Indicates whether the connector is used for system actions. + description: >- + Indicates whether the connector is used for system + actions. type: boolean name: description: ' The name of the rule.' @@ -480,10 +319,15 @@ paths: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. type: boolean is_system_action: - description: Indicates whether the connector is used for system actions. + description: >- + Indicates whether the connector is used for system + actions. type: boolean name: description: ' The name of the rule.' @@ -553,10 +397,15 @@ paths: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. type: boolean is_system_action: - description: Indicates whether the connector is used for system actions. + description: >- + Indicates whether the connector is used for system + actions. type: boolean name: description: ' The name of the rule.' @@ -577,20 +426,15 @@ paths: description: You do not need any Kibana feature privileges to run this API. operationId: get-actions-connector-types parameters: - - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). + - description: >- + A filter to limit the retrieved connector types to those that + support a specific feature (such as alerting or cases). in: query name: feature_id required: false schema: type: string - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getConnectorTypesServerlessResponse: - $ref: '#/components/examples/get_connector_types_generativeai_response' + responses: {} summary: Get connector types tags: - connectors @@ -651,10 +495,15 @@ paths: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. type: boolean is_system_action: - description: Indicates whether the connector is used for system actions. + description: >- + Indicates whether the connector is used for system + actions. type: boolean name: description: ' The name of the rule.' @@ -666,9 +515,6 @@ paths: - is_preconfigured - is_deprecated - is_system_action - examples: - getConnectorResponse: - $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. summary: Get connector information tags: @@ -686,7 +532,7 @@ paths: - description: An identifier for the connector. in: path name: id - required: true + required: false schema: type: string requestBody: @@ -696,78 +542,23 @@ paths: additionalProperties: false type: object properties: + config: + additionalProperties: {} + default: {} + type: object connector_type_id: description: The type of connector. type: string name: description: The display name for the connector. type: string - config: - additionalProperties: {} - default: {} - description: The connector configuration details. - oneOf: - - $ref: '#/components/schemas/bedrock_config' - - $ref: '#/components/schemas/crowdstrike_config' - - $ref: '#/components/schemas/d3security_config' - - $ref: '#/components/schemas/email_config' - - $ref: '#/components/schemas/gemini_config' - - $ref: '#/components/schemas/resilient_config' - - $ref: '#/components/schemas/index_config' - - $ref: '#/components/schemas/jira_config' - - $ref: '#/components/schemas/genai_azure_config' - - $ref: '#/components/schemas/genai_openai_config' - - $ref: '#/components/schemas/opsgenie_config' - - $ref: '#/components/schemas/pagerduty_config' - - $ref: '#/components/schemas/sentinelone_config' - - $ref: '#/components/schemas/servicenow_config' - - $ref: '#/components/schemas/servicenow_itom_config' - - $ref: '#/components/schemas/slack_api_config' - - $ref: '#/components/schemas/swimlane_config' - - $ref: '#/components/schemas/thehive_config' - - $ref: '#/components/schemas/tines_config' - - $ref: '#/components/schemas/torq_config' - - $ref: '#/components/schemas/webhook_config' - - $ref: '#/components/schemas/cases_webhook_config' - - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} - oneOf: - - $ref: '#/components/schemas/bedrock_secrets' - - $ref: '#/components/schemas/crowdstrike_secrets' - - $ref: '#/components/schemas/d3security_secrets' - - $ref: '#/components/schemas/email_secrets' - - $ref: '#/components/schemas/gemini_secrets' - - $ref: '#/components/schemas/resilient_secrets' - - $ref: '#/components/schemas/jira_secrets' - - $ref: '#/components/schemas/defender_secrets' - - $ref: '#/components/schemas/teams_secrets' - - $ref: '#/components/schemas/genai_secrets' - - $ref: '#/components/schemas/opsgenie_secrets' - - $ref: '#/components/schemas/pagerduty_secrets' - - $ref: '#/components/schemas/sentinelone_secrets' - - $ref: '#/components/schemas/servicenow_secrets' - - $ref: '#/components/schemas/slack_api_secrets' - - $ref: '#/components/schemas/swimlane_secrets' - - $ref: '#/components/schemas/thehive_secrets' - - $ref: '#/components/schemas/tines_secrets' - - $ref: '#/components/schemas/torq_secrets' - - $ref: '#/components/schemas/webhook_secrets' - - $ref: '#/components/schemas/cases_webhook_secrets' - - $ref: '#/components/schemas/xmatters_secrets' + type: object required: - name - connector_type_id - examples: - createEmailConnectorRequest: - $ref: '#/components/examples/create_email_connector_request' - createIndexConnectorRequest: - $ref: '#/components/examples/create_index_connector_request' - createWebhookConnectorRequest: - $ref: '#/components/examples/create_webhook_connector_request' - createXmattersConnectorRequest: - $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: @@ -792,10 +583,15 @@ paths: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. type: boolean is_system_action: - description: Indicates whether the connector is used for system actions. + description: >- + Indicates whether the connector is used for system + actions. type: boolean name: description: ' The name of the rule.' @@ -807,15 +603,6 @@ paths: - is_preconfigured - is_deprecated - is_system_action - examples: - createEmailConnectorResponse: - $ref: '#/components/examples/create_email_connector_response' - createIndexConnectorResponse: - $ref: '#/components/examples/create_index_connector_response' - createWebhookConnectorResponse: - $ref: '#/components/examples/create_webhook_connector_response' - createXmattersConnectorResponse: - $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. summary: Create a connector tags: @@ -843,68 +630,19 @@ paths: additionalProperties: false type: object properties: - name: - description: The display name for the connector. - type: string config: additionalProperties: {} default: {} - description: The connector configuration details. - oneOf: - - $ref: '#/components/schemas/bedrock_config' - - $ref: '#/components/schemas/crowdstrike_config' - - $ref: '#/components/schemas/d3security_config' - - $ref: '#/components/schemas/email_config' - - $ref: '#/components/schemas/gemini_config' - - $ref: '#/components/schemas/resilient_config' - - $ref: '#/components/schemas/index_config' - - $ref: '#/components/schemas/jira_config' - - $ref: '#/components/schemas/defender_config' - - $ref: '#/components/schemas/genai_azure_config' - - $ref: '#/components/schemas/genai_openai_config' - - $ref: '#/components/schemas/opsgenie_config' - - $ref: '#/components/schemas/pagerduty_config' - - $ref: '#/components/schemas/sentinelone_config' - - $ref: '#/components/schemas/servicenow_config' - - $ref: '#/components/schemas/servicenow_itom_config' - - $ref: '#/components/schemas/slack_api_config' - - $ref: '#/components/schemas/swimlane_config' - - $ref: '#/components/schemas/thehive_config' - - $ref: '#/components/schemas/tines_config' - - $ref: '#/components/schemas/torq_config' - - $ref: '#/components/schemas/webhook_config' - - $ref: '#/components/schemas/cases_webhook_config' - - $ref: '#/components/schemas/xmatters_config' + type: object + name: + description: The display name for the connector. + type: string secrets: additionalProperties: {} default: {} - oneOf: - - $ref: '#/components/schemas/bedrock_secrets' - - $ref: '#/components/schemas/crowdstrike_secrets' - - $ref: '#/components/schemas/d3security_secrets' - - $ref: '#/components/schemas/email_secrets' - - $ref: '#/components/schemas/gemini_secrets' - - $ref: '#/components/schemas/resilient_secrets' - - $ref: '#/components/schemas/jira_secrets' - - $ref: '#/components/schemas/teams_secrets' - - $ref: '#/components/schemas/genai_secrets' - - $ref: '#/components/schemas/opsgenie_secrets' - - $ref: '#/components/schemas/pagerduty_secrets' - - $ref: '#/components/schemas/sentinelone_secrets' - - $ref: '#/components/schemas/servicenow_secrets' - - $ref: '#/components/schemas/slack_api_secrets' - - $ref: '#/components/schemas/swimlane_secrets' - - $ref: '#/components/schemas/thehive_secrets' - - $ref: '#/components/schemas/tines_secrets' - - $ref: '#/components/schemas/torq_secrets' - - $ref: '#/components/schemas/webhook_secrets' - - $ref: '#/components/schemas/cases_webhook_secrets' - - $ref: '#/components/schemas/xmatters_secrets' + type: object required: - name - examples: - updateIndexConnectorRequest: - $ref: '#/components/examples/update_index_connector_request' responses: '200': content: @@ -929,10 +667,15 @@ paths: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. type: boolean is_system_action: - description: Indicates whether the connector is used for system actions. + description: >- + Indicates whether the connector is used for system + actions. type: boolean name: description: ' The name of the rule.' @@ -950,7 +693,9 @@ paths: - connectors /api/actions/connector/{id}/_execute: post: - description: You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. + description: >- + You can use this API to test an action that involves interaction with + Kibana services or integrations with third-party systems. operationId: post-actions-connector-id-execute parameters: - description: A required header to protect against CSRF attacks @@ -975,42 +720,9 @@ paths: properties: params: additionalProperties: {} - oneOf: - - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' - - $ref: '#/components/schemas/run_documents' - - $ref: '#/components/schemas/run_message_email' - - $ref: '#/components/schemas/run_message_serverlog' - - $ref: '#/components/schemas/run_message_slack' - - $ref: '#/components/schemas/run_trigger_pagerduty' - - $ref: '#/components/schemas/run_addevent' - - $ref: '#/components/schemas/run_closealert' - - $ref: '#/components/schemas/run_closeincident' - - $ref: '#/components/schemas/run_createalert' - - $ref: '#/components/schemas/run_fieldsbyissuetype' - - $ref: '#/components/schemas/run_getagentdetails' - - $ref: '#/components/schemas/run_getagents' - - $ref: '#/components/schemas/run_getchoices' - - $ref: '#/components/schemas/run_getfields' - - $ref: '#/components/schemas/run_getincident' - - $ref: '#/components/schemas/run_issue' - - $ref: '#/components/schemas/run_issues' - - $ref: '#/components/schemas/run_issuetypes' - - $ref: '#/components/schemas/run_postmessage' - - $ref: '#/components/schemas/run_pushtoservice' - - $ref: '#/components/schemas/run_validchannelid' + type: object required: - params - examples: - runIndexConnectorRequest: - $ref: '#/components/examples/run_index_connector_request' - runJiraConnectorRequest: - $ref: '#/components/examples/run_jira_connector_request' - runServerLogConnectorRequest: - $ref: '#/components/examples/run_servicenow_itom_connector_request' - runSlackConnectorRequest: - $ref: '#/components/examples/run_slack_api_connector_request' - runSwimlaneConnectorRequest: - $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: @@ -1035,10 +747,15 @@ paths: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: - description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. type: boolean is_system_action: - description: Indicates whether the connector is used for system actions. + description: >- + Indicates whether the connector is used for system + actions. type: boolean name: description: ' The name of the rule.' @@ -1050,19 +767,6 @@ paths: - is_preconfigured - is_deprecated - is_system_action - examples: - runIndexConnectorResponse: - $ref: '#/components/examples/run_index_connector_response' - runJiraConnectorResponse: - $ref: '#/components/examples/run_jira_connector_response' - runServerLogConnectorResponse: - $ref: '#/components/examples/run_server_log_connector_response' - runServiceNowITOMConnectorResponse: - $ref: '#/components/examples/run_servicenow_itom_connector_response' - runSlackConnectorResponse: - $ref: '#/components/examples/run_slack_api_connector_response' - runSwimlaneConnectorResponse: - $ref: '#/components/examples/run_swimlane_connector_response' description: Indicates a successful call. summary: Run a connector tags: @@ -1071,14 +775,7 @@ paths: get: operationId: get-actions-connectors parameters: [] - responses: - '200': - description: Indicates a successful call. - content: - application/json: - examples: - getConnectorsResponse: - $ref: '#/components/examples/get_connectors_response' + responses: {} summary: Get all connectors tags: - connectors @@ -1093,8 +790,10 @@ paths: - connectors /api/alerting/_health: get: - description: | - You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. + description: > + You must have `read` privileges for the **Management > Stack Rules** + feature or for at least one of the **Analytics > Discover**, **Analytics + > Machine Learning**, **Observability**, or **Security** features. operationId: getAlertingHealth responses: '200': @@ -1107,8 +806,10 @@ paths: type: object properties: alerting_framework_health: - description: | - Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. + description: > + Three substates identify the health of the alerting + framework: `decryption_health`, `execution_health`, and + `read_health`. type: object properties: decryption_health: @@ -1157,7 +858,9 @@ paths: format: date-time type: string has_permanent_encryption_key: - description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. + description: >- + If `false`, the encrypted saved object plugin does not + have a permanent encryption key. example: true type: boolean is_sufficiently_secure: @@ -1176,8 +879,14 @@ paths: - alerting /api/alerting/rule_types: get: - description: | - If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. + description: > + If you have `read` privileges for one or more Kibana features, the API + response contains information about the appropriate rule types. For + example, there are rule types associated with the **Management > Stack + Rules** feature, **Analytics > Discover** and **Machine Learning** + features, **Observability** features, and **Security** features. To get + rule types associated with the **Stack Monitoring** feature, use the + `monitoring_user` built-in role. operationId: getRuleTypes responses: '200': @@ -1191,8 +900,11 @@ paths: type: object properties: action_groups: - description: | - An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. + description: > + An explicit list of groups for which the rule type can + schedule actions, each with the action group's unique ID + and human readable name. Rule actions validation uses + this configuration to ensure that groups are valid. items: type: object properties: @@ -1202,8 +914,13 @@ paths: type: string type: array action_variables: - description: | - A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. + description: > + A list of action variables that the rule type makes + available via context and state in action parameter + templates, and a short human readable description. When + you create a rule in Kibana, it uses this information to + prompt you for these variables in action parameter + editors. type: object properties: context: @@ -1236,8 +953,9 @@ paths: type: string type: array alerts: - description: | - Details for writing alerts as data documents for this rule type. + description: > + Details for writing alerts as data documents for this + rule type. type: object properties: context: @@ -1263,37 +981,48 @@ paths: - 'true' type: string isSpaceAware: - description: | - Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. + description: > + Indicates whether the alerts are space-aware. If + true, space-specific alert indices are used. type: boolean mappings: type: object properties: fieldMap: additionalProperties: - $ref: '#/components/schemas/Alerting_fieldmap_properties' - description: | - Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. + $ref: >- + #/components/schemas/Alerting_fieldmap_properties + description: > + Mapping information for each field supported in + alerts as data documents for this rule type. For + more information about mapping parameters, refer + to the Elasticsearch documentation. type: object secondaryAlias: - description: | - A secondary alias. It is typically used to support the signals alias for detection rules. + description: > + A secondary alias. It is typically used to support + the signals alias for detection rules. type: string shouldWrite: - description: | - Indicates whether the rule should write out alerts as data. + description: > + Indicates whether the rule should write out alerts + as data. type: boolean useEcs: - description: | - Indicates whether to include the ECS component template for the alerts. + description: > + Indicates whether to include the ECS component + template for the alerts. type: boolean useLegacyAlerts: default: false - description: | - Indicates whether to include the legacy component template for the alerts. + description: > + Indicates whether to include the legacy component + template for the alerts. type: boolean authorized_consumers: - description: The list of the plugins IDs that have access to the rule type. + description: >- + The list of the plugins IDs that have access to the rule + type. type: object properties: alerts: @@ -1374,7 +1103,9 @@ paths: read: type: boolean category: - description: The rule category, which is used by features such as category-specific maintenance windows. + description: >- + The rule category, which is used by features such as + category-specific maintenance windows. enum: - management - observability @@ -1384,13 +1115,19 @@ paths: description: The default identifier for the rule type group. type: string does_set_recovery_context: - description: Indicates whether the rule passes context variables to its recovery action. + description: >- + Indicates whether the rule passes context variables to + its recovery action. type: boolean enabled_in_license: - description: Indicates whether the rule type is enabled or disabled based on the subscription. + description: >- + Indicates whether the rule type is enabled or disabled + based on the subscription. type: boolean has_alerts_mappings: - description: Indicates whether the rule type has custom mappings for the alert data. + description: >- + Indicates whether the rule type has custom mappings for + the alert data. type: boolean has_fields_for_a_a_d: type: boolean @@ -1398,7 +1135,9 @@ paths: description: The unique identifier for the rule type. type: string is_exportable: - description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. + description: >- + Indicates whether the rule type is exportable in **Stack + Management > Saved Objects**. type: boolean minimum_license_required: description: The subscriptions required to use the rule type. @@ -1408,11 +1147,15 @@ paths: description: The descriptive name of the rule type. type: string producer: - description: An identifier for the application that produces this rule type. + description: >- + An identifier for the application that produces this + rule type. example: stackAlerts type: string recovery_action_group: - description: An action group to use when an alert goes from an active state to an inactive one. + description: >- + An action group to use when an alert goes from an active + state to an inactive one. type: object properties: id: @@ -1486,7 +1229,9 @@ paths: properties: alerts_filter: additionalProperties: false - description: Defines a period that limits whether the action runs. + description: >- + Defines a period that limits whether the action + runs. type: object properties: query: @@ -1494,10 +1239,15 @@ paths: type: object properties: dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). type: string filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. items: additionalProperties: false type: object @@ -1507,7 +1257,9 @@ paths: type: object properties: store: - description: A filter can be either specific to an application context or applied globally. + description: >- + A filter can be either specific to an + application context or applied globally. enum: - appState - globalState @@ -1524,7 +1276,9 @@ paths: - meta type: array kql: - description: A filter written in Kibana Query Language (KQL). + description: >- + A filter written in Kibana Query Language + (KQL). type: string required: - kql @@ -1534,7 +1288,12 @@ paths: type: object properties: days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. items: enum: - 1 @@ -1551,30 +1310,55 @@ paths: type: object properties: end: - description: The end of the time frame in 24-hour notation (`hh:mm`). + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). type: string start: - description: The start of the time frame in 24-hour notation (`hh:mm`). + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). type: string required: - start - end timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. type: string required: - days - hours - timezone connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -1584,7 +1368,18 @@ paths: description: Indicates whether the action is a summary. type: boolean throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. nullable: true type: string required: @@ -1592,20 +1387,30 @@ paths: - notify_when - throttle group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: - description: A universally unique identifier (UUID) for the action. + description: >- + A universally unique identifier (UUID) for the + action. type: string required: - id @@ -1619,20 +1424,28 @@ paths: type: array alert_delay: additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. type: object properties: active: - description: The number of consecutive runs that must meet the rule conditions. + description: >- + The number of consecutive runs that must meet the rule + conditions. type: number required: - active api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. nullable: true type: boolean api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. nullable: true type: string artifacts: @@ -1654,12 +1467,18 @@ paths: type: object properties: blob: - description: User-created content that describes alert causes and remdiation. + description: >- + User-created content that describes alert causes + and remdiation. type: string required: - blob consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. type: string created_at: description: The date and time that the rule was created. @@ -1669,7 +1488,9 @@ paths: nullable: true type: string enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. type: boolean execution_status: additionalProperties: false @@ -1736,17 +1557,24 @@ paths: - last_execution_date flapping: additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + description: >- + When flapping detection is turned on, alerts that switch + quickly between active and recovered states are identified + as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: - description: The minimum number of runs in which the threshold must be met. + description: >- + The minimum number of runs in which the threshold must + be met. maximum: 20 minimum: 2 type: number status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. + description: >- + The minimum number of times an alert must switch + states in the look back window. maximum: 20 minimum: 2 type: number @@ -1786,7 +1614,9 @@ paths: nullable: true type: number outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. enum: - succeeded - warning @@ -1836,7 +1666,9 @@ paths: properties: calculated_metrics: additionalProperties: false - description: Calculation of different percentiles and success ratio. + description: >- + Calculation of different percentiles and success + ratio. type: object properties: p50: @@ -1859,14 +1691,18 @@ paths: description: Duration of the rule run. type: number outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + description: >- + Outcome of last run of the rule. Value could + be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: - description: Indicates whether the rule run was successful. + description: >- + Indicates whether the rule run was + successful. type: boolean timestamp: description: Time of rule run. @@ -1905,19 +1741,29 @@ paths: - lte - gte total_alerts_created: - description: Total number of alerts created during last rule run. + description: >- + Total number of alerts created during last + rule run. nullable: true type: number total_alerts_detected: - description: Total number of alerts detected during last rule run. + description: >- + Total number of alerts detected during + last rule run. nullable: true type: number total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. + description: >- + Total time spent indexing documents during + last rule run in milliseconds. nullable: true type: number total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. nullable: true type: number timestamp: @@ -1948,7 +1794,19 @@ paths: nullable: true type: string notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -1974,7 +1832,9 @@ paths: type: object properties: interval: - description: The interval is specified in seconds, minutes, hours, or days. + description: >- + The interval is specified in seconds, minutes, hours, + or days. type: string required: - interval @@ -2010,7 +1870,9 @@ paths: type: array bymonth: items: - description: Indicates months of the year that this rule should recur. + description: >- + Indicates months of the year that this rule + should recur. type: number nullable: true type: array @@ -2028,7 +1890,12 @@ paths: type: array bysetpos: items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. type: number nullable: true type: array @@ -2037,7 +1904,13 @@ paths: anyOf: - type: string - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. nullable: true type: array byweekno: @@ -2048,18 +1921,26 @@ paths: type: array byyearday: items: - description: Indicates the days of the year that this rule should recur. + description: >- + Indicates the days of the year that this rule + should recur. type: number nullable: true type: array count: - description: Number of times the rule should recur until it stops. + description: >- + Number of times the rule should recur until it + stops. type: number dtstart: - description: Rule start date in Coordinated Universal Time (UTC). + description: >- + Rule start date in Coordinated Universal Time + (UTC). type: string freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 @@ -2070,7 +1951,10 @@ paths: - 6 type: integer interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. @@ -2108,14 +1992,23 @@ paths: type: array throttle: deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: - description: The identifier for the user that updated this rule most recently. + description: >- + The identifier for the user that updated this rule most + recently. nullable: true type: string view_in_app_relative_url: @@ -2161,10 +2054,12 @@ paths: schema: example: 'true' type: string - - description: The identifier for the rule. If it is omitted, an ID is randomly generated. + - description: >- + The identifier for the rule. If it is omitted, an ID is randomly + generated. in: path name: id - required: true + required: false schema: type: string requestBody: @@ -2183,7 +2078,12 @@ paths: properties: alerts_filter: additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + description: >- + Conditions that affect whether the action runs. If you + specify multiple conditions, all conditions must be + met for the action to run. For example, if an alert + occurs within the specified time frame and matches the + query, the action runs. type: object properties: query: @@ -2191,10 +2091,15 @@ paths: type: object properties: dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL). type: string filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL) as defined in the + `kbn-es-query` package. items: additionalProperties: false type: object @@ -2204,7 +2109,9 @@ paths: type: object properties: store: - description: A filter can be either specific to an application context or applied globally. + description: >- + A filter can be either specific to an + application context or applied globally. enum: - appState - globalState @@ -2221,18 +2128,27 @@ paths: - meta type: array kql: - description: A filter written in Kibana Query Language (KQL). + description: >- + A filter written in Kibana Query Language + (KQL). type: string required: - kql - filters timeframe: additionalProperties: false - description: Defines a period that limits whether the action runs. + description: >- + Defines a period that limits whether the action + runs. type: object properties: days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the days + of the week. items: enum: - 1 @@ -2246,20 +2162,32 @@ paths: type: array hours: additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + description: >- + Defines the range of time in a day that the + action can run. If the `start` value is + `00:00` and the `end` value is `24:00`, + actions be generated all day. type: object properties: end: - description: The end of the time frame in 24-hour notation (`hh:mm`). + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). type: string start: - description: The start of the time frame in 24-hour notation (`hh:mm`). + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). type: string required: - start - end timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work but + lack built-in daylight savings time support + and are not recommended. type: string required: - days @@ -2270,7 +2198,21 @@ paths: type: object properties: notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. Valid + values include: `onActionGroupChange`: Actions run + when the alert status changes; `onActiveAlert`: + Actions run when the alert becomes active and at + each check interval while the rule conditions are + met; `onThrottleInterval`: Actions run when the + alert becomes active and at the interval specified + in the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` at + both the rule and action level. The recommended + method is to set it for each action. If you set it + at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific + values. enum: - onActionGroupChange - onActiveAlert @@ -2280,7 +2222,17 @@ paths: description: Indicates whether the action is a summary. type: boolean throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + The throttle interval, which defines how often an + alert generates repeated actions. It is specified + in seconds, minutes, hours, or days and is + applicable only if `notify_when` is set to + `onThrottleInterval`. NOTE: You cannot specify the + throttle interval at both the rule and action + level. The recommended method is to set it for + each action. If you set it at the rule level then + update the rule in Kibana, it is automatically + changed to use action-specific values. nullable: true type: string required: @@ -2288,7 +2240,12 @@ paths: - notify_when - throttle group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. type: string id: description: The identifier for the connector saved object. @@ -2296,7 +2253,10 @@ paths: params: additionalProperties: {} default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. @@ -2309,11 +2269,15 @@ paths: type: array alert_delay: additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. type: object properties: active: - description: The number of consecutive runs that must meet the rule conditions. + description: >- + The number of consecutive runs that must meet the rule + conditions. type: number required: - active @@ -2342,25 +2306,38 @@ paths: required: - blob consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, `infrastructure`, + `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, + `siem`, `stackAlerts`, or `uptime`. type: string enabled: default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. type: boolean flapping: additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + description: >- + When flapping detection is turned on, alerts that switch + quickly between active and recovered states are identified + as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: - description: The minimum number of runs in which the threshold must be met. + description: >- + The minimum number of runs in which the threshold must + be met. maximum: 20 minimum: 2 type: number status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. + description: >- + The minimum number of times an alert must switch states + in the look back window. maximum: 20 minimum: 2 type: number @@ -2368,26 +2345,49 @@ paths: - look_back_window - status_change_threshold name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + description: >- + The name of the rule. While this name does not have to be + unique, a distinctive name can help you identify a rule. type: string notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while the rule + conditions are met; `onThrottleInterval`: Actions run when + the alert becomes active and at the interval specified in + the throttle property while the rule conditions are met. + NOTE: You cannot specify `notify_when` at both the rule and + action level. The recommended method is to set it for each + action. If you set it at the rule level then update the rule + in Kibana, it is automatically changed to use + action-specific values. enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string + params: + additionalProperties: {} + default: {} + description: The parameters for the rule. + type: object rule_type_id: description: The rule type identifier. type: string schedule: additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. + description: >- + The check interval, which specifies how frequently the rule + conditions are checked. type: object properties: interval: - description: The interval is specified in seconds, minutes, hours, or days. + description: >- + The interval is specified in seconds, minutes, hours, or + days. type: string required: - interval @@ -2398,44 +2398,20 @@ paths: type: string type: array throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Use the `throttle` property in the action `frequency` object + instead. The throttle interval, which defines how often an + alert generates repeated actions. NOTE: You cannot specify + the throttle interval at both the rule and action level. If + you set it at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific values. nullable: true type: string - params: - additionalProperties: {} - default: {} - description: The parameters for the rule. - anyOf: - - $ref: '#/components/schemas/params_property_apm_anomaly' - - $ref: '#/components/schemas/params_property_apm_error_count' - - $ref: '#/components/schemas/params_property_apm_transaction_duration' - - $ref: '#/components/schemas/params_property_apm_transaction_error_rate' - - $ref: '#/components/schemas/params_es_query_dsl_rule' - - $ref: '#/components/schemas/params_es_query_esql_rule' - - $ref: '#/components/schemas/params_es_query_kql_rule' - - $ref: '#/components/schemas/params_index_threshold_rule' - - $ref: '#/components/schemas/params_property_infra_inventory' - - $ref: '#/components/schemas/params_property_log_threshold' - - $ref: '#/components/schemas/params_property_infra_metric_threshold' - - $ref: '#/components/schemas/params_property_slo_burn_rate' - - $ref: '#/components/schemas/params_property_synthetics_uptime_tls' - - $ref: '#/components/schemas/params_property_synthetics_monitor_status' required: - name - rule_type_id - consumer - schedule - examples: - createEsQueryEsqlRuleRequest: - $ref: '#/components/examples/create_es_query_esql_rule_request' - createEsQueryRuleRequest: - $ref: '#/components/examples/create_es_query_rule_request' - createEsQueryKqlRuleRequest: - $ref: '#/components/examples/create_es_query_kql_rule_request' - createIndexThresholdRuleRequest: - $ref: '#/components/examples/create_index_threshold_rule_request' - createTrackingContainmentRuleRequest: - $ref: '#/components/examples/create_tracking_containment_rule_request' responses: '200': content: @@ -2451,7 +2427,9 @@ paths: properties: alerts_filter: additionalProperties: false - description: Defines a period that limits whether the action runs. + description: >- + Defines a period that limits whether the action + runs. type: object properties: query: @@ -2459,10 +2437,15 @@ paths: type: object properties: dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). type: string filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. items: additionalProperties: false type: object @@ -2472,7 +2455,9 @@ paths: type: object properties: store: - description: A filter can be either specific to an application context or applied globally. + description: >- + A filter can be either specific to an + application context or applied globally. enum: - appState - globalState @@ -2489,7 +2474,9 @@ paths: - meta type: array kql: - description: A filter written in Kibana Query Language (KQL). + description: >- + A filter written in Kibana Query Language + (KQL). type: string required: - kql @@ -2499,7 +2486,12 @@ paths: type: object properties: days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. items: enum: - 1 @@ -2516,30 +2508,55 @@ paths: type: object properties: end: - description: The end of the time frame in 24-hour notation (`hh:mm`). + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). type: string start: - description: The start of the time frame in 24-hour notation (`hh:mm`). + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). type: string required: - start - end timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. type: string required: - days - hours - timezone connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -2549,7 +2566,18 @@ paths: description: Indicates whether the action is a summary. type: boolean throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. nullable: true type: string required: @@ -2557,20 +2585,30 @@ paths: - notify_when - throttle group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: - description: A universally unique identifier (UUID) for the action. + description: >- + A universally unique identifier (UUID) for the + action. type: string required: - id @@ -2584,20 +2622,28 @@ paths: type: array alert_delay: additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. type: object properties: active: - description: The number of consecutive runs that must meet the rule conditions. + description: >- + The number of consecutive runs that must meet the rule + conditions. type: number required: - active api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. nullable: true type: boolean api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. nullable: true type: string artifacts: @@ -2619,12 +2665,18 @@ paths: type: object properties: blob: - description: User-created content that describes alert causes and remdiation. + description: >- + User-created content that describes alert causes + and remdiation. type: string required: - blob consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. type: string created_at: description: The date and time that the rule was created. @@ -2634,7 +2686,9 @@ paths: nullable: true type: string enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. type: boolean execution_status: additionalProperties: false @@ -2701,17 +2755,24 @@ paths: - last_execution_date flapping: additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + description: >- + When flapping detection is turned on, alerts that switch + quickly between active and recovered states are identified + as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: - description: The minimum number of runs in which the threshold must be met. + description: >- + The minimum number of runs in which the threshold must + be met. maximum: 20 minimum: 2 type: number status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. + description: >- + The minimum number of times an alert must switch + states in the look back window. maximum: 20 minimum: 2 type: number @@ -2751,7 +2812,9 @@ paths: nullable: true type: number outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. enum: - succeeded - warning @@ -2801,7 +2864,9 @@ paths: properties: calculated_metrics: additionalProperties: false - description: Calculation of different percentiles and success ratio. + description: >- + Calculation of different percentiles and success + ratio. type: object properties: p50: @@ -2824,14 +2889,18 @@ paths: description: Duration of the rule run. type: number outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + description: >- + Outcome of last run of the rule. Value could + be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: - description: Indicates whether the rule run was successful. + description: >- + Indicates whether the rule run was + successful. type: boolean timestamp: description: Time of rule run. @@ -2870,19 +2939,29 @@ paths: - lte - gte total_alerts_created: - description: Total number of alerts created during last rule run. + description: >- + Total number of alerts created during last + rule run. nullable: true type: number total_alerts_detected: - description: Total number of alerts detected during last rule run. + description: >- + Total number of alerts detected during + last rule run. nullable: true type: number total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. + description: >- + Total time spent indexing documents during + last rule run in milliseconds. nullable: true type: number total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. nullable: true type: number timestamp: @@ -2913,7 +2992,19 @@ paths: nullable: true type: string notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -2939,7 +3030,9 @@ paths: type: object properties: interval: - description: The interval is specified in seconds, minutes, hours, or days. + description: >- + The interval is specified in seconds, minutes, hours, + or days. type: string required: - interval @@ -2975,7 +3068,9 @@ paths: type: array bymonth: items: - description: Indicates months of the year that this rule should recur. + description: >- + Indicates months of the year that this rule + should recur. type: number nullable: true type: array @@ -2993,7 +3088,12 @@ paths: type: array bysetpos: items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. type: number nullable: true type: array @@ -3002,7 +3102,13 @@ paths: anyOf: - type: string - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. nullable: true type: array byweekno: @@ -3013,18 +3119,26 @@ paths: type: array byyearday: items: - description: Indicates the days of the year that this rule should recur. + description: >- + Indicates the days of the year that this rule + should recur. type: number nullable: true type: array count: - description: Number of times the rule should recur until it stops. + description: >- + Number of times the rule should recur until it + stops. type: number dtstart: - description: Rule start date in Coordinated Universal Time (UTC). + description: >- + Rule start date in Coordinated Universal Time + (UTC). type: string freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 @@ -3035,7 +3149,10 @@ paths: - 6 type: integer interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. @@ -3073,14 +3190,23 @@ paths: type: array throttle: deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: - description: The identifier for the user that updated this rule most recently. + description: >- + The identifier for the user that updated this rule most + recently. nullable: true type: string view_in_app_relative_url: @@ -3106,17 +3232,6 @@ paths: - muted_alert_ids - execution_status - revision - examples: - createEsQueryEsqlRuleResponse: - $ref: '#/components/examples/create_es_query_esql_rule_response' - createEsQueryRuleResponse: - $ref: '#/components/examples/create_es_query_rule_response' - createEsQueryKqlRuleResponse: - $ref: '#/components/examples/create_es_query_kql_rule_response' - createIndexThresholdRuleResponse: - $ref: '#/components/examples/create_index_threshold_rule_response' - createTrackingContainmentRuleResponse: - $ref: '#/components/examples/create_tracking_containment_rule_response' description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. @@ -3166,10 +3281,15 @@ paths: type: object properties: dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL). type: string filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL) as defined in the + `kbn-es-query` package. items: additionalProperties: false type: object @@ -3179,7 +3299,9 @@ paths: type: object properties: store: - description: A filter can be either specific to an application context or applied globally. + description: >- + A filter can be either specific to an + application context or applied globally. enum: - appState - globalState @@ -3196,18 +3318,27 @@ paths: - meta type: array kql: - description: A filter written in Kibana Query Language (KQL). + description: >- + A filter written in Kibana Query Language + (KQL). type: string required: - kql - filters timeframe: additionalProperties: false - description: Defines a period that limits whether the action runs. + description: >- + Defines a period that limits whether the action + runs. type: object properties: days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the days + of the week. items: enum: - 1 @@ -3221,20 +3352,32 @@ paths: type: array hours: additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + description: >- + Defines the range of time in a day that the + action can run. If the `start` value is + `00:00` and the `end` value is `24:00`, + actions be generated all day. type: object properties: end: - description: The end of the time frame in 24-hour notation (`hh:mm`). + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). type: string start: - description: The start of the time frame in 24-hour notation (`hh:mm`). + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). type: string required: - start - end timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work but + lack built-in daylight savings time support + and are not recommended. type: string required: - days @@ -3245,7 +3388,21 @@ paths: type: object properties: notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. Valid + values include: `onActionGroupChange`: Actions run + when the alert status changes; `onActiveAlert`: + Actions run when the alert becomes active and at + each check interval while the rule conditions are + met; `onThrottleInterval`: Actions run when the + alert becomes active and at the interval specified + in the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` at + both the rule and action level. The recommended + method is to set it for each action. If you set it + at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific + values. enum: - onActionGroupChange - onActiveAlert @@ -3255,7 +3412,17 @@ paths: description: Indicates whether the action is a summary. type: boolean throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + The throttle interval, which defines how often an + alert generates repeated actions. It is specified + in seconds, minutes, hours, or days and is + applicable only if `notify_when` is set to + `onThrottleInterval`. NOTE: You cannot specify the + throttle interval at both the rule and action + level. The recommended method is to set it for + each action. If you set it at the rule level then + update the rule in Kibana, it is automatically + changed to use action-specific values. nullable: true type: string required: @@ -3263,7 +3430,12 @@ paths: - notify_when - throttle group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. type: string id: description: The identifier for the connector saved object. @@ -3271,7 +3443,10 @@ paths: params: additionalProperties: {} default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. @@ -3284,11 +3459,15 @@ paths: type: array alert_delay: additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. type: object properties: active: - description: The number of consecutive runs that must meet the rule conditions. + description: >- + The number of consecutive runs that must meet the rule + conditions. type: number required: - active @@ -3318,17 +3497,24 @@ paths: - blob flapping: additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + description: >- + When flapping detection is turned on, alerts that switch + quickly between active and recovered states are identified + as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: - description: The minimum number of runs in which the threshold must be met. + description: >- + The minimum number of runs in which the threshold must + be met. maximum: 20 minimum: 2 type: number status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. + description: >- + The minimum number of times an alert must switch states + in the look back window. maximum: 20 minimum: 2 type: number @@ -3336,10 +3522,24 @@ paths: - look_back_window - status_change_threshold name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + description: >- + The name of the rule. While this name does not have to be + unique, a distinctive name can help you identify a rule. type: string notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while the rule + conditions are met; `onThrottleInterval`: Actions run when + the alert becomes active and at the interval specified in + the throttle property while the rule conditions are met. + NOTE: You cannot specify `notify_when` at both the rule and + action level. The recommended method is to set it for each + action. If you set it at the rule level then update the rule + in Kibana, it is automatically changed to use + action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -3356,7 +3556,9 @@ paths: type: object properties: interval: - description: The interval is specified in seconds, minutes, hours, or days. + description: >- + The interval is specified in seconds, minutes, hours, or + days. type: string required: - interval @@ -3367,15 +3569,18 @@ paths: type: string type: array throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Use the `throttle` property in the action `frequency` object + instead. The throttle interval, which defines how often an + alert generates repeated actions. NOTE: You cannot specify + the throttle interval at both the rule and action level. If + you set it at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific values. nullable: true type: string required: - name - schedule - examples: - updateRuleRequest: - $ref: '#/components/examples/update_rule_request' responses: '200': content: @@ -3391,7 +3596,9 @@ paths: properties: alerts_filter: additionalProperties: false - description: Defines a period that limits whether the action runs. + description: >- + Defines a period that limits whether the action + runs. type: object properties: query: @@ -3399,10 +3606,15 @@ paths: type: object properties: dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). type: string filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. items: additionalProperties: false type: object @@ -3412,7 +3624,9 @@ paths: type: object properties: store: - description: A filter can be either specific to an application context or applied globally. + description: >- + A filter can be either specific to an + application context or applied globally. enum: - appState - globalState @@ -3429,7 +3643,9 @@ paths: - meta type: array kql: - description: A filter written in Kibana Query Language (KQL). + description: >- + A filter written in Kibana Query Language + (KQL). type: string required: - kql @@ -3439,7 +3655,12 @@ paths: type: object properties: days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. items: enum: - 1 @@ -3456,30 +3677,55 @@ paths: type: object properties: end: - description: The end of the time frame in 24-hour notation (`hh:mm`). + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). type: string start: - description: The start of the time frame in 24-hour notation (`hh:mm`). + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). type: string required: - start - end timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. type: string required: - days - hours - timezone connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -3489,7 +3735,18 @@ paths: description: Indicates whether the action is a summary. type: boolean throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. nullable: true type: string required: @@ -3497,20 +3754,30 @@ paths: - notify_when - throttle group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: - description: A universally unique identifier (UUID) for the action. + description: >- + A universally unique identifier (UUID) for the + action. type: string required: - id @@ -3524,20 +3791,28 @@ paths: type: array alert_delay: additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. type: object properties: active: - description: The number of consecutive runs that must meet the rule conditions. + description: >- + The number of consecutive runs that must meet the rule + conditions. type: number required: - active api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. nullable: true type: boolean api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. nullable: true type: string artifacts: @@ -3559,12 +3834,18 @@ paths: type: object properties: blob: - description: User-created content that describes alert causes and remdiation. + description: >- + User-created content that describes alert causes + and remdiation. type: string required: - blob consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. type: string created_at: description: The date and time that the rule was created. @@ -3574,7 +3855,9 @@ paths: nullable: true type: string enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. type: boolean execution_status: additionalProperties: false @@ -3641,17 +3924,24 @@ paths: - last_execution_date flapping: additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + description: >- + When flapping detection is turned on, alerts that switch + quickly between active and recovered states are identified + as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: - description: The minimum number of runs in which the threshold must be met. + description: >- + The minimum number of runs in which the threshold must + be met. maximum: 20 minimum: 2 type: number status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. + description: >- + The minimum number of times an alert must switch + states in the look back window. maximum: 20 minimum: 2 type: number @@ -3691,7 +3981,9 @@ paths: nullable: true type: number outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. enum: - succeeded - warning @@ -3741,7 +4033,9 @@ paths: properties: calculated_metrics: additionalProperties: false - description: Calculation of different percentiles and success ratio. + description: >- + Calculation of different percentiles and success + ratio. type: object properties: p50: @@ -3764,14 +4058,18 @@ paths: description: Duration of the rule run. type: number outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + description: >- + Outcome of last run of the rule. Value could + be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: - description: Indicates whether the rule run was successful. + description: >- + Indicates whether the rule run was + successful. type: boolean timestamp: description: Time of rule run. @@ -3810,19 +4108,29 @@ paths: - lte - gte total_alerts_created: - description: Total number of alerts created during last rule run. + description: >- + Total number of alerts created during last + rule run. nullable: true type: number total_alerts_detected: - description: Total number of alerts detected during last rule run. + description: >- + Total number of alerts detected during + last rule run. nullable: true type: number total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. + description: >- + Total time spent indexing documents during + last rule run in milliseconds. nullable: true type: number total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. nullable: true type: number timestamp: @@ -3853,7 +4161,19 @@ paths: nullable: true type: string notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -3879,7 +4199,9 @@ paths: type: object properties: interval: - description: The interval is specified in seconds, minutes, hours, or days. + description: >- + The interval is specified in seconds, minutes, hours, + or days. type: string required: - interval @@ -3915,7 +4237,9 @@ paths: type: array bymonth: items: - description: Indicates months of the year that this rule should recur. + description: >- + Indicates months of the year that this rule + should recur. type: number nullable: true type: array @@ -3933,7 +4257,12 @@ paths: type: array bysetpos: items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. type: number nullable: true type: array @@ -3942,7 +4271,13 @@ paths: anyOf: - type: string - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. nullable: true type: array byweekno: @@ -3953,18 +4288,26 @@ paths: type: array byyearday: items: - description: Indicates the days of the year that this rule should recur. + description: >- + Indicates the days of the year that this rule + should recur. type: number nullable: true type: array count: - description: Number of times the rule should recur until it stops. + description: >- + Number of times the rule should recur until it + stops. type: number dtstart: - description: Rule start date in Coordinated Universal Time (UTC). + description: >- + Rule start date in Coordinated Universal Time + (UTC). type: string freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 @@ -3975,7 +4318,10 @@ paths: - 6 type: integer interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. @@ -4013,14 +4359,23 @@ paths: type: array throttle: deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: - description: The identifier for the user that updated this rule most recently. + description: >- + The identifier for the user that updated this rule most + recently. nullable: true type: string view_in_app_relative_url: @@ -4046,9 +4401,6 @@ paths: - muted_alert_ids - execution_status - revision - examples: - updateRuleResponse: - $ref: '#/components/examples/update_rule_response' description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. @@ -4222,7 +4574,10 @@ paths: - alerting /api/alerting/rule/{id}/snooze_schedule: post: - description: When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. + description: >- + When you snooze a rule, the rule checks continue to run but alerts will + not generate actions. You can snooze for a specified period of time and + schedule single or recurring downtimes. operationId: post-alerting-rule-id-snooze-schedule parameters: - description: A required header to protect against CSRF attacks @@ -4254,24 +4609,38 @@ paths: type: object properties: duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + description: >- + The duration of the schedule. It allows values in + `` format. `` is one of `d`, + `h`, `m`, or `s` for hours, minutes, seconds. For + example: `1d`, `5h`, `30m`, `5000s`. type: string recurring: additionalProperties: false type: object properties: end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + description: >- + The end date of a recurring schedule, provided + in ISO 8601 format and set to the UTC timezone. + For example: `2025-04-01T00:00:00.000Z`. type: string every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + description: >- + The interval and frequency of a recurring + schedule. It allows values in `` + format. `` is one of `d`, `w`, `M`, or `y` + for days, weeks, months, years. For example: + `15d`, `2w`, `3m`, `1y`. type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. + description: >- + The specific months for a recurring schedule. + Valid values are 1-12. items: maximum: 12 minimum: 1 @@ -4279,7 +4648,9 @@ paths: minItems: 1 type: array onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. + description: >- + The specific days of the month for a recurring + schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 @@ -4287,16 +4658,25 @@ paths: minItems: 1 type: array onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + description: >- + The specific days of the week + (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month + (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a + recurring schedule. items: type: string minItems: 1 type: array start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + description: >- + The start date and time of the schedule, provided in + ISO 8601 format and set to the UTC timezone. For + example: `2025-03-12T12:00:00.000Z`. type: string timezone: - description: The timezone of the schedule. The default timezone is UTC. + description: >- + The timezone of the schedule. The default timezone + is UTC. type: string required: - start @@ -4324,24 +4704,43 @@ paths: type: object properties: duration: - description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + description: >- + The duration of the schedule. It allows values + in `` format. `` is one + of `d`, `h`, `m`, or `s` for hours, minutes, + seconds. For example: `1d`, `5h`, `30m`, + `5000s`. type: string recurring: additionalProperties: false type: object properties: end: - description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + description: >- + The end date of a recurring schedule, + provided in ISO 8601 format and set to the + UTC timezone. For example: + `2025-04-01T00:00:00.000Z`. type: string every: - description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + description: >- + The interval and frequency of a recurring + schedule. It allows values in + `` format. `` is one + of `d`, `w`, `M`, or `y` for days, weeks, + months, years. For example: `15d`, `2w`, + `3m`, `1y`. type: string occurrences: - description: The total number of recurrences of the schedule. + description: >- + The total number of recurrences of the + schedule. minimum: 1 type: number onMonth: - description: The specific months for a recurring schedule. Valid values are 1-12. + description: >- + The specific months for a recurring + schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 @@ -4349,7 +4748,9 @@ paths: minItems: 1 type: array onMonthDay: - description: The specific days of the month for a recurring schedule. Valid values are 1-31. + description: >- + The specific days of the month for a + recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 @@ -4357,16 +4758,26 @@ paths: minItems: 1 type: array onWeekDay: - description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + description: >- + The specific days of the week + (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of + month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) + for a recurring schedule. items: type: string minItems: 1 type: array start: - description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + description: >- + The start date and time of the schedule, + provided in ISO 8601 format and set to the UTC + timezone. For example: + `2025-03-12T12:00:00.000Z`. type: string timezone: - description: The timezone of the schedule. The default timezone is UTC. + description: >- + The timezone of the schedule. The default + timezone is UTC. type: string required: - start @@ -4515,7 +4926,9 @@ paths: default: 1 minimum: 1 type: number - - description: An Elasticsearch simple_query_string query that filters the objects in the response. + - description: >- + An Elasticsearch simple_query_string query that filters the objects + in the response. in: query name: search required: false @@ -4541,7 +4954,9 @@ paths: type: string type: array - type: string - - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + - description: >- + Determines which field is used to sort the results. The field must + exist in the `attributes` key of the response. in: query name: sort_field required: false @@ -4556,7 +4971,9 @@ paths: - asc - desc type: string - - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + - description: >- + Filters the rules that have a relation with the reference objects + with a specific type and identifier. in: query name: has_reference required: false @@ -4580,7 +4997,12 @@ paths: description: The fields to return in the `attributes` key of the response. type: string type: array - - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' + - description: >- + A KQL string that you filter with an attribute from your saved + object. It should look like `savedObjectType.attributes.title: + "myTitle"`. However, if you used a direct attribute of a saved + object, such as `updatedAt`, you must define your filter, for + example, `savedObjectType.updatedAt > 2018-12-22`. in: query name: filter required: false @@ -4609,7 +5031,9 @@ paths: properties: alerts_filter: additionalProperties: false - description: Defines a period that limits whether the action runs. + description: >- + Defines a period that limits whether the action + runs. type: object properties: query: @@ -4617,10 +5041,15 @@ paths: type: object properties: dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). type: string filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. items: additionalProperties: false type: object @@ -4630,7 +5059,9 @@ paths: type: object properties: store: - description: A filter can be either specific to an application context or applied globally. + description: >- + A filter can be either specific to an + application context or applied globally. enum: - appState - globalState @@ -4647,7 +5078,9 @@ paths: - meta type: array kql: - description: A filter written in Kibana Query Language (KQL). + description: >- + A filter written in Kibana Query Language + (KQL). type: string required: - kql @@ -4657,7 +5090,12 @@ paths: type: object properties: days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. items: enum: - 1 @@ -4674,30 +5112,55 @@ paths: type: object properties: end: - description: The end of the time frame in 24-hour notation (`hh:mm`). + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). type: string start: - description: The start of the time frame in 24-hour notation (`hh:mm`). + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). type: string required: - start - end timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. type: string required: - days - hours - timezone connector_type_id: - description: The type of connector. This property appears in responses but cannot be set in requests. + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -4707,7 +5170,18 @@ paths: description: Indicates whether the action is a summary. type: boolean throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. nullable: true type: string required: @@ -4715,20 +5189,30 @@ paths: - notify_when - throttle group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: - description: A universally unique identifier (UUID) for the action. + description: >- + A universally unique identifier (UUID) for the + action. type: string required: - id @@ -4742,20 +5226,28 @@ paths: type: array alert_delay: additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. type: object properties: active: - description: The number of consecutive runs that must meet the rule conditions. + description: >- + The number of consecutive runs that must meet the rule + conditions. type: number required: - active api_key_created_by_user: - description: Indicates whether the API key that is associated with the rule was created by the user. + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. nullable: true type: boolean api_key_owner: - description: The owner of the API key that is associated with the rule and used to run background tasks. + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. nullable: true type: string artifacts: @@ -4777,12 +5269,18 @@ paths: type: object properties: blob: - description: User-created content that describes alert causes and remdiation. + description: >- + User-created content that describes alert causes + and remdiation. type: string required: - blob consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. type: string created_at: description: The date and time that the rule was created. @@ -4792,7 +5290,9 @@ paths: nullable: true type: string enabled: - description: Indicates whether you want to run the rule on an interval basis after it is created. + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. type: boolean execution_status: additionalProperties: false @@ -4859,17 +5359,24 @@ paths: - last_execution_date flapping: additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + description: >- + When flapping detection is turned on, alerts that switch + quickly between active and recovered states are identified + as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: - description: The minimum number of runs in which the threshold must be met. + description: >- + The minimum number of runs in which the threshold must + be met. maximum: 20 minimum: 2 type: number status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. + description: >- + The minimum number of times an alert must switch + states in the look back window. maximum: 20 minimum: 2 type: number @@ -4909,7 +5416,9 @@ paths: nullable: true type: number outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. enum: - succeeded - warning @@ -4959,7 +5468,9 @@ paths: properties: calculated_metrics: additionalProperties: false - description: Calculation of different percentiles and success ratio. + description: >- + Calculation of different percentiles and success + ratio. type: object properties: p50: @@ -4982,14 +5493,18 @@ paths: description: Duration of the rule run. type: number outcome: - description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + description: >- + Outcome of last run of the rule. Value could + be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: - description: Indicates whether the rule run was successful. + description: >- + Indicates whether the rule run was + successful. type: boolean timestamp: description: Time of rule run. @@ -5028,19 +5543,29 @@ paths: - lte - gte total_alerts_created: - description: Total number of alerts created during last rule run. + description: >- + Total number of alerts created during last + rule run. nullable: true type: number total_alerts_detected: - description: Total number of alerts detected during last rule run. + description: >- + Total number of alerts detected during + last rule run. nullable: true type: number total_indexing_duration_ms: - description: Total time spent indexing documents during last rule run in milliseconds. + description: >- + Total time spent indexing documents during + last rule run in milliseconds. nullable: true type: number total_search_duration_ms: - description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. nullable: true type: number timestamp: @@ -5071,7 +5596,19 @@ paths: nullable: true type: string notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. enum: - onActionGroupChange - onActiveAlert @@ -5097,7 +5634,9 @@ paths: type: object properties: interval: - description: The interval is specified in seconds, minutes, hours, or days. + description: >- + The interval is specified in seconds, minutes, hours, + or days. type: string required: - interval @@ -5133,7 +5672,9 @@ paths: type: array bymonth: items: - description: Indicates months of the year that this rule should recur. + description: >- + Indicates months of the year that this rule + should recur. type: number nullable: true type: array @@ -5151,7 +5692,12 @@ paths: type: array bysetpos: items: - description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. type: number nullable: true type: array @@ -5160,7 +5706,13 @@ paths: anyOf: - type: string - type: number - description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. nullable: true type: array byweekno: @@ -5171,18 +5723,26 @@ paths: type: array byyearday: items: - description: Indicates the days of the year that this rule should recur. + description: >- + Indicates the days of the year that this rule + should recur. type: number nullable: true type: array count: - description: Number of times the rule should recur until it stops. + description: >- + Number of times the rule should recur until it + stops. type: number dtstart: - description: Rule start date in Coordinated Universal Time (UTC). + description: >- + Rule start date in Coordinated Universal Time + (UTC). type: string freq: - description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 @@ -5193,7 +5753,10 @@ paths: - 6 type: integer interval: - description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. @@ -5231,14 +5794,23 @@ paths: type: array throttle: deprecated: true - description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: - description: The identifier for the user that updated this rule most recently. + description: >- + The identifier for the user that updated this rule most + recently. nullable: true type: string view_in_app_relative_url: @@ -5264,11 +5836,6 @@ paths: - muted_alert_ids - execution_status - revision - examples: - findRulesResponse: - $ref: '#/components/examples/find_rules_response' - findConditionalActionRulesResponse: - $ref: '#/components/examples/find_rules_response_conditional_action' description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. @@ -5280,8 +5847,9 @@ paths: /api/alerts/alert/{alertId}: delete: deprecated: true - description: | - Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After you delete an alert, you cannot recover it. + description: > + Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After + you delete an alert, you cannot recover it. operationId: legaryDeleteAlert parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' @@ -5338,7 +5906,9 @@ paths: operationId: legacyCreateAlert parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - description: An UUID v1 or v4 identifier for the alert. If this parameter is omitted, the identifier is randomly generated. + - description: >- + An UUID v1 or v4 identifier for the alert. If this parameter is + omitted, the identifier is randomly generated. in: path name: alertId required: true @@ -5360,15 +5930,19 @@ paths: description: The identifier for the action type. type: string group: - description: | - Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to `default`. + description: > + Grouping actions is recommended for escalations for + different types of alert instances. If you don't need + this functionality, set it to `default`. type: string id: description: The ID of the action saved object. type: string params: - description: | - The map to the `params` that the action type will receive. `params` are handled as Mustache templates and passed a default set of context. + description: > + The map to the `params` that the action type will + receive. `params` are handled as Mustache templates + and passed a default set of context. type: object required: - actionTypeId @@ -5377,13 +5951,20 @@ paths: - params type: array alertTypeId: - description: The ID of the alert type that you want to call when the alert is scheduled to run. + description: >- + The ID of the alert type that you want to call when the + alert is scheduled to run. type: string consumer: - description: The name of the application that owns the alert. This name has to match the Kibana feature name, as that dictates the required role-based access control privileges. + description: >- + The name of the application that owns the alert. This name + has to match the Kibana feature name, as that dictates the + required role-based access control privileges. type: string enabled: - description: Indicates if you want to run the alert on an interval basis after it is created. + description: >- + Indicates if you want to run the alert on an interval basis + after it is created. type: boolean name: description: A name to reference and search. @@ -5396,15 +5977,22 @@ paths: - onThrottleInterval type: string params: - description: The parameters to pass to the alert type executor `params` value. This will also validate against the alert type params validator, if defined. + description: >- + The parameters to pass to the alert type executor `params` + value. This will also validate against the alert type params + validator, if defined. type: object schedule: - description: | - The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule. + description: > + The schedule specifying when this alert should be run. A + schedule is structured such that the key specifies the + format you wish to use and its value specifies the schedule. type: object properties: interval: - description: The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run. + description: >- + The interval format specifies the interval in seconds, + minutes, hours or days at which the alert should run. example: 10s type: string tags: @@ -5413,8 +6001,13 @@ paths: type: string type: array throttle: - description: | - How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of `10m` or `1h` will prevent it from sending 90 notifications during this period. + description: > + How often this alert should fire the same actions. This will + prevent the alert from sending out the same notification + over and over. For example, if an alert with a schedule of 1 + minute stays in a triggered state for 90 minutes, setting a + throttle of `10m` or `1h` will prevent it from sending 90 + notifications during this period. type: string required: - alertTypeId @@ -5468,15 +6061,19 @@ paths: description: The identifier for the action type. type: string group: - description: | - Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to `default`. + description: > + Grouping actions is recommended for escalations for + different types of alert instances. If you don't need + this functionality, set it to `default`. type: string id: description: The ID of the action saved object. type: string params: - description: | - The map to the `params` that the action type will receive. `params` are handled as Mustache templates and passed a default set of context. + description: > + The map to the `params` that the action type will + receive. `params` are handled as Mustache templates + and passed a default set of context. type: object required: - actionTypeId @@ -5495,15 +6092,22 @@ paths: - onThrottleInterval type: string params: - description: The parameters to pass to the alert type executor `params` value. This will also validate against the alert type params validator, if defined. + description: >- + The parameters to pass to the alert type executor `params` + value. This will also validate against the alert type params + validator, if defined. type: object schedule: - description: | - The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule. + description: > + The schedule specifying when this alert should be run. A + schedule is structured such that the key specifies the + format you wish to use and its value specifies the schedule. type: object properties: interval: - description: The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run. + description: >- + The interval format specifies the interval in seconds, + minutes, hours or days at which the alert should run. example: 1d type: string tags: @@ -5512,8 +6116,13 @@ paths: type: string type: array throttle: - description: | - How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of `10m` or `1h` will prevent it from sending 90 notifications during this period. + description: > + How often this alert should fire the same actions. This will + prevent the alert from sending out the same notification + over and over. For example, if an alert with a schedule of 1 + minute stays in a triggered state for 90 minutes, setting a + throttle of `10m` or `1h` will prevent it from sending 90 + notifications during this period. type: string required: - name @@ -5710,8 +6319,12 @@ paths: /api/alerts/alerts/_find: get: deprecated: true - description: | - Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert `params` are stored as a flattened field type and analyzed as keywords. As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. + description: > + Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert + `params` are stored as a flattened field type and analyzed as keywords. + As alerts change in Kibana, the results on each page of the response + also change. Use the find API for traditional paginated results, but + avoid using it to export large amounts of data. operationId: legacyFindAlerts parameters: - description: The default operator to use for the `simple_query_string`. @@ -5728,13 +6341,19 @@ paths: items: type: string type: array - - description: | - A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`. + - description: > + A KQL string that you filter with an attribute from your saved + object. It should look like `savedObjectType.attributes.title: + "myTitle"`. However, if you used a direct attribute of a saved + object, such as `updatedAt`, you must define your filter, for + example, `savedObjectType.updatedAt > 2018-12-22`. in: query name: filter schema: type: string - - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + - description: >- + Filters the rules that have a relation with the reference objects + with a specific type and identifier. in: query name: has_reference schema: @@ -5758,12 +6377,16 @@ paths: schema: default: 20 type: integer - - description: An Elasticsearch `simple_query_string` query that filters the alerts in the response. + - description: >- + An Elasticsearch `simple_query_string` query that filters the alerts + in the response. in: query name: search schema: type: string - - description: The fields to perform the `simple_query_string` parsed query against. + - description: >- + The fields to perform the `simple_query_string` parsed query + against. in: query name: search_fields schema: @@ -5772,8 +6395,9 @@ paths: - items: type: string type: array - - description: | - Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + - description: > + Determines which field is used to sort the results. The field must + exist in the `attributes` key of the response. in: query name: sort_field schema: @@ -5828,8 +6452,10 @@ paths: type: object properties: alertingFrameworkHealth: - description: | - Three substates identify the health of the alerting framework: `decryptionHealth`, `executionHealth`, and `readHealth`. + description: > + Three substates identify the health of the alerting + framework: `decryptionHealth`, `executionHealth`, and + `readHealth`. type: object properties: decryptionHealth: @@ -5878,7 +6504,9 @@ paths: format: date-time type: string hasPermanentEncryptionKey: - description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. + description: >- + If `false`, the encrypted saved object plugin does not + have a permanent encryption key. example: true type: boolean isSufficientlySecure: @@ -5909,8 +6537,11 @@ paths: type: object properties: actionGroups: - description: | - An explicit list of groups for which the alert type can schedule actions, each with the action group's unique ID and human readable name. Alert actions validation uses this configuration to ensure that groups are valid. + description: > + An explicit list of groups for which the alert type can + schedule actions, each with the action group's unique ID + and human readable name. Alert actions validation uses + this configuration to ensure that groups are valid. items: type: object properties: @@ -5920,8 +6551,12 @@ paths: type: string type: array actionVariables: - description: | - A list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors. + description: > + A list of action variables that the alert type makes + available via context and state in action parameter + templates, and a short human readable description. The + Alert UI will use this information to prompt users for + these variables in action parameter editors. type: object properties: context: @@ -5952,19 +6587,25 @@ paths: type: string type: array authorizedConsumers: - description: The list of the plugins IDs that have access to the alert type. + description: >- + The list of the plugins IDs that have access to the + alert type. type: object defaultActionGroupId: description: The default identifier for the alert type group. type: string enabledInLicense: - description: Indicates whether the rule type is enabled based on the subscription. + description: >- + Indicates whether the rule type is enabled based on the + subscription. type: boolean id: description: The unique identifier for the alert type. type: string isExportable: - description: Indicates whether the alert type is exportable in Saved Objects Management UI. + description: >- + Indicates whether the alert type is exportable in Saved + Objects Management UI. type: boolean minimumLicenseRequired: description: The subscriptions required to use the alert type. @@ -5973,11 +6614,15 @@ paths: description: The descriptive name of the alert type. type: string producer: - description: An identifier for the application that produces this alert type. + description: >- + An identifier for the application that produces this + alert type. type: string recoveryActionGroup: - description: | - An action group to use when an alert instance goes from an active state to an inactive one. If it is not specified, the default recovered action group is used. + description: > + An action group to use when an alert instance goes from + an active state to an inactive one. If it is not + specified, the default recovered action group is used. type: object properties: id: @@ -6224,7 +6869,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' + $ref: >- + #/components/schemas/APM_UI_delete_agent_configurations_response description: Successful response '400': content: @@ -6417,8 +7063,9 @@ paths: - APM agent configuration /api/apm/settings/agent-configuration/search: post: - description: | - This endpoint allows to search for single agent configuration and update 'applied_by_agent' field. + description: > + This endpoint allows to search for single agent configuration and update + 'applied_by_agent' field. operationId: searchSingleConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' @@ -6434,7 +7081,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' + $ref: >- + #/components/schemas/APM_UI_search_agent_configuration_response description: Successful response '400': content: @@ -6479,7 +7127,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' + $ref: >- + #/components/schemas/APM_UI_single_agent_configuration_response description: Successful response '400': content: @@ -6693,10 +7342,13 @@ paths: type: object properties: deleted: - description: True if the record was deleted or false if the record did not exist. + description: >- + True if the record was deleted or false if the record did + not exist. type: boolean record: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord description: The deleted record if it existed. required: - deleted @@ -6729,7 +7381,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord description: Successful response '400': description: Invalid request @@ -6739,21 +7392,27 @@ paths: tags: - Security Entity Analytics API post: - description: | + description: > Create or update an asset criticality record for a specific entity. - If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. + + If a record already exists for the specified entity, that record is + overwritten with the specified value. If a record doesn't exist for the + specified entity, a new record is created. operationId: CreateAssetCriticalityRecord requestBody: content: application/json: schema: allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - type: object properties: refresh: - description: If 'wait_for' the request will wait for the index refresh. + description: >- + If 'wait_for' the request will wait for the index + refresh. enum: - wait_for type: string @@ -6767,7 +7426,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord description: Successful response '400': description: Invalid request @@ -6776,10 +7436,14 @@ paths: - Security Entity Analytics API /api/asset_criticality/bulk: post: - description: | + description: > Bulk upsert up to 1000 asset criticality records. - If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. + + If asset criticality records already exist for the specified entities, + those records are overwritten with the specified values. If asset + criticality records don't exist for the specified entities, new records + are created. operationId: BulkUpsertAssetCriticalityRecords requestBody: content: @@ -6797,7 +7461,8 @@ paths: properties: records: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord maxItems: 1000 minItems: 1 type: array @@ -6820,10 +7485,12 @@ paths: properties: errors: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem type: array stats: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats required: - errors - stats @@ -6920,7 +7587,8 @@ paths: type: integer records: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord type: array total: minimum: 0 @@ -6936,8 +7604,11 @@ paths: - Security Entity Analytics API /api/cases: delete: - description: | - You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + description: > + You must have `read` or `all` privileges and the `delete` sub-feature + privilege for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -6955,8 +7626,11 @@ paths: tags: - cases patch: - description: | - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case you're + updating. operationId: updateCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -6990,8 +7664,11 @@ paths: tags: - cases post: - description: | - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case you're + creating. operationId: createCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -7025,8 +7702,10 @@ paths: - cases /api/cases/_find: get: - description: | - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. operationId: findCasesDefaultSpace parameters: - $ref: '#/components/parameters/Cases_assignees_filter' @@ -7084,8 +7763,10 @@ paths: - cases /api/cases/{caseId}: get: - description: | - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're seeking. operationId: getCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' @@ -7113,8 +7794,10 @@ paths: - cases /api/cases/{caseId}/alerts: get: - description: | - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. operationId: getCaseAlertsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' @@ -7142,8 +7825,11 @@ paths: x-state: Technical preview /api/cases/{caseId}/comments: delete: - description: | - Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + description: > + Deletes all comments and alerts from a case. You must have `all` + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -7162,8 +7848,13 @@ paths: - cases get: deprecated: true - description: | - Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; instead, use the get case comment API, which requires a comment identifier in the path. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + description: > + Deprecated in 8.1.0. This API is deprecated and will be removed in a + future release; instead, use the get case comment API, which requires a + comment identifier in the path. You must have `read` privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the cases with the comments you're seeking. operationId: getAllCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' @@ -7184,8 +7875,11 @@ paths: tags: - cases patch: - description: | - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're updating. + NOTE: You cannot change the comment type or the owner of a comment. operationId: updateCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -7219,8 +7913,11 @@ paths: tags: - cases post: - description: | - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're creating. + NOTE: Each case can have a maximum of 1,000 alerts. operationId: addCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -7255,8 +7952,12 @@ paths: - cases /api/cases/{caseId}/comments/_find: get: - description: | - Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + description: > + Retrieves a paginated list of comments for a case. You must have `read` + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases with the comments you're + seeking. operationId: findCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' @@ -7281,8 +7982,10 @@ paths: - cases /api/cases/{caseId}/comments/{commentId}: delete: - description: | - You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -7301,8 +8004,11 @@ paths: tags: - cases get: - description: | - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases with the + comments you're seeking. operationId: getCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' @@ -7316,8 +8022,10 @@ paths: $ref: '#/components/examples/Cases_get_comment_response' schema: oneOf: - - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - - $ref: '#/components/schemas/Cases_user_comment_response_properties' + - $ref: >- + #/components/schemas/Cases_alert_comment_response_properties + - $ref: >- + #/components/schemas/Cases_user_comment_response_properties description: Indicates a successful call. '401': content: @@ -7330,8 +8038,12 @@ paths: - cases /api/cases/{caseId}/connector/{connectorId}/_push: post: - description: | - You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. + description: > + You must have `all` privileges for the **Actions and Connectors** + feature in the **Management** section of the Kibana feature privileges. + You must also have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're pushing. operationId: pushCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' @@ -7364,9 +8076,14 @@ paths: - cases /api/cases/{caseId}/files: post: - description: | - Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: + description: > + Attach a file to a case. You must have `all` privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the case you're updating. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - The location of the file that is being uploaded. operationId: addCaseFileDefaultSpace parameters: @@ -7400,8 +8117,13 @@ paths: /api/cases/{caseId}/user_actions: get: deprecated: true - description: | - Returns all user activity for a case. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + description: > + Returns all user activity for a case. Deprecated in 8.1.0. This API is + deprecated and will be removed in a future release; use the find user + actions API instead. You must have `read` privileges for the **Cases** + feature in the **Management**, **Observability**, or **Security** + section of the Kibana feature privileges, depending on the owner of the + case you're seeking. operationId: getCaseActivityDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' @@ -7425,8 +8147,11 @@ paths: - cases /api/cases/{caseId}/user_actions/_find: get: - description: | - Retrives a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + description: > + Retrives a paginated list of user activity for a case. You must have + `read` privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the case you're seeking. operationId: findCaseActivityDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' @@ -7452,7 +8177,8 @@ paths: type: integer userActions: items: - $ref: '#/components/schemas/Cases_user_actions_find_response_properties' + $ref: >- + #/components/schemas/Cases_user_actions_find_response_properties maxItems: 10000 type: array description: Indicates a successful call. @@ -7467,8 +8193,10 @@ paths: - cases /api/cases/alerts/{alertId}: get: - description: | - You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. operationId: getCasesByAlertDefaultSpace parameters: - $ref: '#/components/parameters/Cases_alert_id' @@ -7505,8 +8233,12 @@ paths: x-state: Technical preview /api/cases/configure: get: - description: | - Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. + description: > + Get setting details such as the closure type, custom fields, templatse, + and the default connector for cases. You must have `read` privileges for + the **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where the cases were created. operationId: getCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' @@ -7527,15 +8259,24 @@ paths: type: object properties: fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + description: >- + The fields specified in the case configuration are + not used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. nullable: true type: object id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. If you do not want + a default connector, use `none`. To retrieve + connector IDs, use the find connectors API. example: none type: string name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. example: none type: string type: @@ -7572,19 +8313,27 @@ paths: type: object properties: defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + description: > + A default value for the custom field. If the + `type` is `text`, the default value must be a + string. If the `type` is `toggle`, the default + value must be boolean. oneOf: - type: string - type: boolean key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. maxLength: 36 minLength: 1 type: string label: - description: The custom field label that is displayed in the case. + description: >- + The custom field label that is displayed in the + case. maxLength: 50 minLength: 1 type: string @@ -7595,8 +8344,10 @@ paths: - toggle type: string required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + description: > + Indicates whether the field is required. If + `false`, the custom field can be set to null or + omitted when a case is created or updated. type: boolean type: array error: @@ -7667,8 +8418,16 @@ paths: tags: - cases post: - description: | - Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. + description: > + Case settings include external connection details, custom fields, and + templates. Connectors are used to interface with external systems. You + must create a connector before you can use it in your cases. If you set + a default connector, it is automatically selected when you create cases + in Kibana. If you use the create case API, however, you must still + specify all of the connector details. You must have `all` privileges for + the **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where you are creating cases. operationId: setCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -7696,15 +8455,24 @@ paths: type: object properties: fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. nullable: true type: object id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector + IDs, use the find connectors API. example: none type: string name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. example: none type: string type: @@ -7741,19 +8509,27 @@ paths: type: object properties: defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + description: > + A default value for the custom field. If the `type` + is `text`, the default value must be a string. If + the `type` is `toggle`, the default value must be + boolean. oneOf: - type: string - type: boolean key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. maxLength: 36 minLength: 1 type: string label: - description: The custom field label that is displayed in the case. + description: >- + The custom field label that is displayed in the + case. maxLength: 50 minLength: 1 type: string @@ -7764,8 +8540,10 @@ paths: - toggle type: string required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + description: > + Indicates whether the field is required. If `false`, + the custom field can be set to null or omitted when + a case is created or updated. type: boolean type: array error: @@ -7836,8 +8614,14 @@ paths: - cases /api/cases/configure/{configurationId}: patch: - description: | - Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. + description: > + Updates setting details such as the closure type, custom fields, + templates, and the default connector for cases. Connectors are used to + interface with external systems. You must create a connector before you + can use it in your cases. You must have `all` privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where the case was created. operationId: updateCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' @@ -7856,7 +8640,8 @@ paths: application/json: examples: updateCaseConfigurationResponse: - $ref: '#/components/examples/Cases_update_case_configuration_response' + $ref: >- + #/components/examples/Cases_update_case_configuration_response schema: type: object properties: @@ -7866,15 +8651,24 @@ paths: type: object properties: fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. nullable: true type: object id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector + IDs, use the find connectors API. example: none type: string name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. example: none type: string type: @@ -7911,19 +8705,27 @@ paths: type: object properties: defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + description: > + A default value for the custom field. If the `type` + is `text`, the default value must be a string. If + the `type` is `toggle`, the default value must be + boolean. oneOf: - type: string - type: boolean key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. maxLength: 36 minLength: 1 type: string label: - description: The custom field label that is displayed in the case. + description: >- + The custom field label that is displayed in the + case. maxLength: 50 minLength: 1 type: string @@ -7934,8 +8736,10 @@ paths: - toggle type: string required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + description: > + Indicates whether the field is required. If `false`, + the custom field can be set to null or omitted when + a case is created or updated. type: boolean type: array error: @@ -8006,8 +8810,10 @@ paths: - cases /api/cases/configure/connectors/_find: get: - description: | - Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. + description: > + Get information about connectors that are supported for use in cases. + You must have `read` privileges for the **Actions and Connectors** + feature in the **Management** section of the Kibana feature privileges. operationId: findCaseConnectorsDefaultSpace responses: '200': @@ -8056,8 +8862,15 @@ paths: - cases /api/cases/reporters: get: - description: | - Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. + description: > + Returns information about the users who opened cases. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases. The API returns + information about the users as they existed at the time of the case + creation, including their name, full name, and email address. If any of + those details change thereafter or if a user is deleted, the information + returned by this API is unchanged. operationId: getCaseReportersDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' @@ -8106,8 +8919,13 @@ paths: /api/cases/status: get: deprecated: true - description: | - Returns the number of cases that are open, closed, and in progress. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + description: > + Returns the number of cases that are open, closed, and in progress. + Deprecated in 8.1.0. This API is deprecated and will be removed in a + future release; use the find cases API instead. You must have `read` + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're seeking. operationId: getCaseStatusDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' @@ -8136,8 +8954,11 @@ paths: - cases /api/cases/tags: get: - description: | - Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + description: > + Aggregates and returns a list of case tags. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're seeking. operationId: getCaseTagsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' @@ -8165,7 +8986,11 @@ paths: - cases /api/dashboards/dashboard: get: - description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + description: >- + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. operationId: get-dashboards-dashboard parameters: - description: The page number to return. Default is "1". @@ -8176,7 +9001,9 @@ paths: default: 1 minimum: 1 type: number - - description: The number of dashboards to display on each page (max 1000). Default is "20". + - description: >- + The number of dashboards to display on each page (max 1000). Default + is "20". in: query name: perPage required: false @@ -8212,7 +9039,9 @@ paths: type: array timeRestore: default: false - description: Whether to restore time upon viewing this dashboard + description: >- + Whether to restore time upon viewing this + dashboard type: boolean title: description: A human-readable title for the dashboard @@ -8292,7 +9121,11 @@ paths: x-state: Technical Preview /api/dashboards/dashboard/{id}: delete: - description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + description: >- + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. operationId: delete-dashboards-dashboard-id parameters: - description: A required header to protect against CSRF attacks @@ -8314,7 +9147,11 @@ paths: - Dashboards x-state: Technical Preview get: - description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + description: >- + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. operationId: get-dashboards-dashboard-id parameters: - description: A unique identifier for the dashboard. @@ -8349,14 +9186,18 @@ paths: type: boolean chainingSystem: default: HIERARCHICAL - description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". + description: >- + The chaining strategy for multiple controls. + For example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] - description: An array of control panels and their state in the control group. + description: >- + An array of control panels and their state in + the control group. items: additionalProperties: true type: object @@ -8366,20 +9207,26 @@ paths: type: object grow: default: false - description: Expand width of the control panel to fit available space. + description: >- + Expand width of the control panel to fit + available space. type: boolean id: description: The unique ID of the control. type: string order: - description: The order of the control panel in the control group. + description: >- + The order of the control panel in the + control group. type: number type: description: The type of the control panel. type: string width: default: medium - description: Minimum width of the control panel in the control group. + description: >- + Minimum width of the control panel in + the control group. enum: - small - medium @@ -8414,7 +9261,9 @@ paths: type: boolean labelPosition: default: oneLine - description: Position of the labels for controls. For example, "oneLine", "twoLine". + description: >- + Position of the labels for controls. For + example, "oneLine", "twoLine". enum: - oneLine - twoLine @@ -8446,7 +9295,11 @@ paths: type: object properties: store: - description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). + description: >- + Denote whether a filter is specific to + an application's context (e.g. + 'appState') or whether it should be + applied globally (e.g. 'globalState'). enum: - appState - globalState @@ -8494,11 +9347,15 @@ paths: type: object properties: language: - description: The query language such as KQL or Lucene. + description: >- + The query language such as KQL or + Lucene. type: string query: anyOf: - - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. + - description: >- + A text-based query such as Kibana Query + Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object @@ -8556,19 +9413,27 @@ paths: type: boolean syncColors: default: true - description: Synchronize colors between related panels in the dashboard. + description: >- + Synchronize colors between related panels in + the dashboard. type: boolean syncCursor: default: true - description: Synchronize cursor position between related panels in the dashboard. + description: >- + Synchronize cursor position between related + panels in the dashboard. type: boolean syncTooltips: default: true - description: Synchronize tooltips between related panels in the dashboard. + description: >- + Synchronize tooltips between related panels in + the dashboard. type: boolean useMargins: default: true - description: Show margins between panels in the dashboard layout. + description: >- + Show margins between panels in the dashboard + layout. type: boolean panels: default: [] @@ -8594,10 +9459,14 @@ paths: minimum: 1 type: number x: - description: The x coordinate of the panel in grid units + description: >- + The x coordinate of the panel in grid + units type: number 'y': - description: The y coordinate of the panel in grid units + description: >- + The y coordinate of the panel in grid + units type: number required: - x @@ -8617,16 +9486,22 @@ paths: additionalProperties: {} type: object hidePanelTitles: - description: Set to true to hide the panel title in its container. + description: >- + Set to true to hide the panel title in + its container. type: boolean savedObjectId: - description: The unique id of the library item to construct the embeddable. + description: >- + The unique id of the library item to + construct the embeddable. type: string title: description: The title of the panel type: string version: - description: The version of the embeddable in the panel. + description: >- + The version of the embeddable in the + panel. type: string panelIndex: type: string @@ -8640,7 +9515,13 @@ paths: type: string version: deprecated: true - description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). + description: >- + The version was used to store Kibana version + information from versions 7.3.0 -> 8.11.0. + As of version 8.11.0, the versioning + information is now per-embeddable-type and + is stored on the embeddable's input. + (panelConfig in this type). type: string required: - panelConfig @@ -8655,17 +9536,23 @@ paths: properties: display: deprecated: true - description: A human-readable string indicating the refresh frequency. No longer used. + description: >- + A human-readable string indicating the refresh + frequency. No longer used. type: string pause: - description: Whether the refresh interval is set to be paused while viewing the dashboard. + description: >- + Whether the refresh interval is set to be + paused while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: - description: A numeric value indicating refresh frequency in milliseconds. + description: >- + A numeric value indicating refresh frequency + in milliseconds. type: number required: - pause @@ -8680,7 +9567,9 @@ paths: type: string timeRestore: default: false - description: Whether to restore time upon viewing this dashboard + description: >- + Whether to restore time upon viewing this + dashboard type: boolean timeTo: description: An ISO string indicating when to restore time from @@ -8782,7 +9671,11 @@ paths: - Dashboards x-state: Technical Preview post: - description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + description: >- + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. operationId: post-dashboards-dashboard-id parameters: - description: A required header to protect against CSRF attacks @@ -8819,14 +9712,18 @@ paths: type: boolean chainingSystem: default: HIERARCHICAL - description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". + description: >- + The chaining strategy for multiple controls. For + example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] - description: An array of control panels and their state in the control group. + description: >- + An array of control panels and their state in the + control group. items: additionalProperties: true type: object @@ -8836,20 +9733,26 @@ paths: type: object grow: default: false - description: Expand width of the control panel to fit available space. + description: >- + Expand width of the control panel to fit + available space. type: boolean id: description: The unique ID of the control. type: string order: - description: The order of the control panel in the control group. + description: >- + The order of the control panel in the control + group. type: number type: description: The type of the control panel. type: string width: default: medium - description: Minimum width of the control panel in the control group. + description: >- + Minimum width of the control panel in the + control group. enum: - small - medium @@ -8884,7 +9787,9 @@ paths: type: boolean labelPosition: default: oneLine - description: Position of the labels for controls. For example, "oneLine", "twoLine". + description: >- + Position of the labels for controls. For example, + "oneLine", "twoLine". enum: - oneLine - twoLine @@ -8916,7 +9821,11 @@ paths: type: object properties: store: - description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). + description: >- + Denote whether a filter is specific to + an application's context (e.g. + 'appState') or whether it should be + applied globally (e.g. 'globalState'). enum: - appState - globalState @@ -8968,7 +9877,9 @@ paths: type: string query: anyOf: - - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. + - description: >- + A text-based query such as Kibana Query + Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object @@ -9026,15 +9937,21 @@ paths: type: boolean syncColors: default: true - description: Synchronize colors between related panels in the dashboard. + description: >- + Synchronize colors between related panels in the + dashboard. type: boolean syncCursor: default: true - description: Synchronize cursor position between related panels in the dashboard. + description: >- + Synchronize cursor position between related panels + in the dashboard. type: boolean syncTooltips: default: true - description: Synchronize tooltips between related panels in the dashboard. + description: >- + Synchronize tooltips between related panels in the + dashboard. type: boolean useMargins: default: true @@ -9087,10 +10004,14 @@ paths: additionalProperties: {} type: object hidePanelTitles: - description: Set to true to hide the panel title in its container. + description: >- + Set to true to hide the panel title in its + container. type: boolean savedObjectId: - description: The unique id of the library item to construct the embeddable. + description: >- + The unique id of the library item to construct + the embeddable. type: string title: description: The title of the panel @@ -9111,7 +10032,12 @@ paths: type: string version: deprecated: true - description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). + description: >- + The version was used to store Kibana version + information from versions 7.3.0 -> 8.11.0. As of + version 8.11.0, the versioning information is now + per-embeddable-type and is stored on the + embeddable's input. (panelConfig in this type). type: string required: - panelConfig @@ -9125,17 +10051,23 @@ paths: properties: display: deprecated: true - description: A human-readable string indicating the refresh frequency. No longer used. + description: >- + A human-readable string indicating the refresh + frequency. No longer used. type: string pause: - description: Whether the refresh interval is set to be paused while viewing the dashboard. + description: >- + Whether the refresh interval is set to be paused + while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: - description: A numeric value indicating refresh frequency in milliseconds. + description: >- + A numeric value indicating refresh frequency in + milliseconds. type: number required: - pause @@ -9212,14 +10144,18 @@ paths: type: boolean chainingSystem: default: HIERARCHICAL - description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". + description: >- + The chaining strategy for multiple controls. + For example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] - description: An array of control panels and their state in the control group. + description: >- + An array of control panels and their state in + the control group. items: additionalProperties: true type: object @@ -9229,20 +10165,26 @@ paths: type: object grow: default: false - description: Expand width of the control panel to fit available space. + description: >- + Expand width of the control panel to fit + available space. type: boolean id: description: The unique ID of the control. type: string order: - description: The order of the control panel in the control group. + description: >- + The order of the control panel in the + control group. type: number type: description: The type of the control panel. type: string width: default: medium - description: Minimum width of the control panel in the control group. + description: >- + Minimum width of the control panel in + the control group. enum: - small - medium @@ -9277,7 +10219,9 @@ paths: type: boolean labelPosition: default: oneLine - description: Position of the labels for controls. For example, "oneLine", "twoLine". + description: >- + Position of the labels for controls. For + example, "oneLine", "twoLine". enum: - oneLine - twoLine @@ -9309,7 +10253,11 @@ paths: type: object properties: store: - description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). + description: >- + Denote whether a filter is specific to + an application's context (e.g. + 'appState') or whether it should be + applied globally (e.g. 'globalState'). enum: - appState - globalState @@ -9357,11 +10305,15 @@ paths: type: object properties: language: - description: The query language such as KQL or Lucene. + description: >- + The query language such as KQL or + Lucene. type: string query: anyOf: - - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. + - description: >- + A text-based query such as Kibana Query + Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object @@ -9419,19 +10371,27 @@ paths: type: boolean syncColors: default: true - description: Synchronize colors between related panels in the dashboard. + description: >- + Synchronize colors between related panels in + the dashboard. type: boolean syncCursor: default: true - description: Synchronize cursor position between related panels in the dashboard. + description: >- + Synchronize cursor position between related + panels in the dashboard. type: boolean syncTooltips: default: true - description: Synchronize tooltips between related panels in the dashboard. + description: >- + Synchronize tooltips between related panels in + the dashboard. type: boolean useMargins: default: true - description: Show margins between panels in the dashboard layout. + description: >- + Show margins between panels in the dashboard + layout. type: boolean panels: default: [] @@ -9457,10 +10417,14 @@ paths: minimum: 1 type: number x: - description: The x coordinate of the panel in grid units + description: >- + The x coordinate of the panel in grid + units type: number 'y': - description: The y coordinate of the panel in grid units + description: >- + The y coordinate of the panel in grid + units type: number required: - x @@ -9480,16 +10444,22 @@ paths: additionalProperties: {} type: object hidePanelTitles: - description: Set to true to hide the panel title in its container. + description: >- + Set to true to hide the panel title in + its container. type: boolean savedObjectId: - description: The unique id of the library item to construct the embeddable. + description: >- + The unique id of the library item to + construct the embeddable. type: string title: description: The title of the panel type: string version: - description: The version of the embeddable in the panel. + description: >- + The version of the embeddable in the + panel. type: string panelIndex: type: string @@ -9503,7 +10473,13 @@ paths: type: string version: deprecated: true - description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). + description: >- + The version was used to store Kibana version + information from versions 7.3.0 -> 8.11.0. + As of version 8.11.0, the versioning + information is now per-embeddable-type and + is stored on the embeddable's input. + (panelConfig in this type). type: string required: - panelConfig @@ -9518,17 +10494,23 @@ paths: properties: display: deprecated: true - description: A human-readable string indicating the refresh frequency. No longer used. + description: >- + A human-readable string indicating the refresh + frequency. No longer used. type: string pause: - description: Whether the refresh interval is set to be paused while viewing the dashboard. + description: >- + Whether the refresh interval is set to be + paused while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: - description: A numeric value indicating refresh frequency in milliseconds. + description: >- + A numeric value indicating refresh frequency + in milliseconds. type: number required: - pause @@ -9543,7 +10525,9 @@ paths: type: string timeRestore: default: false - description: Whether to restore time upon viewing this dashboard + description: >- + Whether to restore time upon viewing this + dashboard type: boolean timeTo: description: An ISO string indicating when to restore time from @@ -9625,7 +10609,11 @@ paths: - Dashboards x-state: Technical Preview put: - description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + description: >- + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. operationId: put-dashboards-dashboard-id parameters: - description: A required header to protect against CSRF attacks @@ -9662,14 +10650,18 @@ paths: type: boolean chainingSystem: default: HIERARCHICAL - description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". + description: >- + The chaining strategy for multiple controls. For + example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] - description: An array of control panels and their state in the control group. + description: >- + An array of control panels and their state in the + control group. items: additionalProperties: true type: object @@ -9679,20 +10671,26 @@ paths: type: object grow: default: false - description: Expand width of the control panel to fit available space. + description: >- + Expand width of the control panel to fit + available space. type: boolean id: description: The unique ID of the control. type: string order: - description: The order of the control panel in the control group. + description: >- + The order of the control panel in the control + group. type: number type: description: The type of the control panel. type: string width: default: medium - description: Minimum width of the control panel in the control group. + description: >- + Minimum width of the control panel in the + control group. enum: - small - medium @@ -9727,7 +10725,9 @@ paths: type: boolean labelPosition: default: oneLine - description: Position of the labels for controls. For example, "oneLine", "twoLine". + description: >- + Position of the labels for controls. For example, + "oneLine", "twoLine". enum: - oneLine - twoLine @@ -9759,7 +10759,11 @@ paths: type: object properties: store: - description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). + description: >- + Denote whether a filter is specific to + an application's context (e.g. + 'appState') or whether it should be + applied globally (e.g. 'globalState'). enum: - appState - globalState @@ -9811,7 +10815,9 @@ paths: type: string query: anyOf: - - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. + - description: >- + A text-based query such as Kibana Query + Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object @@ -9869,15 +10875,21 @@ paths: type: boolean syncColors: default: true - description: Synchronize colors between related panels in the dashboard. + description: >- + Synchronize colors between related panels in the + dashboard. type: boolean syncCursor: default: true - description: Synchronize cursor position between related panels in the dashboard. + description: >- + Synchronize cursor position between related panels + in the dashboard. type: boolean syncTooltips: default: true - description: Synchronize tooltips between related panels in the dashboard. + description: >- + Synchronize tooltips between related panels in the + dashboard. type: boolean useMargins: default: true @@ -9930,10 +10942,14 @@ paths: additionalProperties: {} type: object hidePanelTitles: - description: Set to true to hide the panel title in its container. + description: >- + Set to true to hide the panel title in its + container. type: boolean savedObjectId: - description: The unique id of the library item to construct the embeddable. + description: >- + The unique id of the library item to construct + the embeddable. type: string title: description: The title of the panel @@ -9954,7 +10970,12 @@ paths: type: string version: deprecated: true - description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). + description: >- + The version was used to store Kibana version + information from versions 7.3.0 -> 8.11.0. As of + version 8.11.0, the versioning information is now + per-embeddable-type and is stored on the + embeddable's input. (panelConfig in this type). type: string required: - panelConfig @@ -9968,17 +10989,23 @@ paths: properties: display: deprecated: true - description: A human-readable string indicating the refresh frequency. No longer used. + description: >- + A human-readable string indicating the refresh + frequency. No longer used. type: string pause: - description: Whether the refresh interval is set to be paused while viewing the dashboard. + description: >- + Whether the refresh interval is set to be paused + while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: - description: A numeric value indicating refresh frequency in milliseconds. + description: >- + A numeric value indicating refresh frequency in + milliseconds. type: number required: - pause @@ -10051,14 +11078,18 @@ paths: type: boolean chainingSystem: default: HIERARCHICAL - description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". + description: >- + The chaining strategy for multiple controls. + For example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] - description: An array of control panels and their state in the control group. + description: >- + An array of control panels and their state in + the control group. items: additionalProperties: true type: object @@ -10068,20 +11099,26 @@ paths: type: object grow: default: false - description: Expand width of the control panel to fit available space. + description: >- + Expand width of the control panel to fit + available space. type: boolean id: description: The unique ID of the control. type: string order: - description: The order of the control panel in the control group. + description: >- + The order of the control panel in the + control group. type: number type: description: The type of the control panel. type: string width: default: medium - description: Minimum width of the control panel in the control group. + description: >- + Minimum width of the control panel in + the control group. enum: - small - medium @@ -10116,7 +11153,9 @@ paths: type: boolean labelPosition: default: oneLine - description: Position of the labels for controls. For example, "oneLine", "twoLine". + description: >- + Position of the labels for controls. For + example, "oneLine", "twoLine". enum: - oneLine - twoLine @@ -10148,7 +11187,11 @@ paths: type: object properties: store: - description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). + description: >- + Denote whether a filter is specific to + an application's context (e.g. + 'appState') or whether it should be + applied globally (e.g. 'globalState'). enum: - appState - globalState @@ -10196,11 +11239,15 @@ paths: type: object properties: language: - description: The query language such as KQL or Lucene. + description: >- + The query language such as KQL or + Lucene. type: string query: anyOf: - - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. + - description: >- + A text-based query such as Kibana Query + Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object @@ -10258,19 +11305,27 @@ paths: type: boolean syncColors: default: true - description: Synchronize colors between related panels in the dashboard. + description: >- + Synchronize colors between related panels in + the dashboard. type: boolean syncCursor: default: true - description: Synchronize cursor position between related panels in the dashboard. + description: >- + Synchronize cursor position between related + panels in the dashboard. type: boolean syncTooltips: default: true - description: Synchronize tooltips between related panels in the dashboard. + description: >- + Synchronize tooltips between related panels in + the dashboard. type: boolean useMargins: default: true - description: Show margins between panels in the dashboard layout. + description: >- + Show margins between panels in the dashboard + layout. type: boolean panels: default: [] @@ -10296,10 +11351,14 @@ paths: minimum: 1 type: number x: - description: The x coordinate of the panel in grid units + description: >- + The x coordinate of the panel in grid + units type: number 'y': - description: The y coordinate of the panel in grid units + description: >- + The y coordinate of the panel in grid + units type: number required: - x @@ -10319,16 +11378,22 @@ paths: additionalProperties: {} type: object hidePanelTitles: - description: Set to true to hide the panel title in its container. + description: >- + Set to true to hide the panel title in + its container. type: boolean savedObjectId: - description: The unique id of the library item to construct the embeddable. + description: >- + The unique id of the library item to + construct the embeddable. type: string title: description: The title of the panel type: string version: - description: The version of the embeddable in the panel. + description: >- + The version of the embeddable in the + panel. type: string panelIndex: type: string @@ -10342,7 +11407,13 @@ paths: type: string version: deprecated: true - description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). + description: >- + The version was used to store Kibana version + information from versions 7.3.0 -> 8.11.0. + As of version 8.11.0, the versioning + information is now per-embeddable-type and + is stored on the embeddable's input. + (panelConfig in this type). type: string required: - panelConfig @@ -10357,17 +11428,23 @@ paths: properties: display: deprecated: true - description: A human-readable string indicating the refresh frequency. No longer used. + description: >- + A human-readable string indicating the refresh + frequency. No longer used. type: string pause: - description: Whether the refresh interval is set to be paused while viewing the dashboard. + description: >- + Whether the refresh interval is set to be + paused while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: - description: A numeric value indicating refresh frequency in milliseconds. + description: >- + A numeric value indicating refresh frequency + in milliseconds. type: number required: - pause @@ -10382,7 +11459,9 @@ paths: type: string timeRestore: default: false - description: Whether to restore time upon viewing this dashboard + description: >- + Whether to restore time upon viewing this + dashboard type: boolean timeTo: description: An ISO string indicating when to restore time from @@ -10608,8 +11687,9 @@ paths: - data views /api/data_views/data_view/{viewId}/fields: post: - description: | - Update fields presentation metadata such as count, customLabel, customDescription, and format. + description: > + Update fields presentation metadata such as count, customLabel, + customDescription, and format. operationId: updateFieldsMetadataDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' @@ -10836,7 +11916,8 @@ paths: application/json: examples: getDefaultDataViewResponse: - $ref: '#/components/examples/Data_views_get_default_data_view_response' + $ref: >- + #/components/examples/Data_views_get_default_data_view_response schema: type: object properties: @@ -10866,8 +11947,10 @@ paths: type: object properties: data_view_id: - description: | - The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. + description: > + The data view identifier. NOTE: The API does not validate + whether it is a valid identifier. Use `null` to unset the + default data view. nullable: true type: string force: @@ -10898,8 +11981,10 @@ paths: - data views /api/data_views/swap_references: post: - description: | - Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. + description: > + Changes saved object references from one data view identifier to + another. WARNING: Misuse can break large numbers of saved objects! + Practicing with a backup is recommended. operationId: swapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' @@ -10943,8 +12028,9 @@ paths: - data views /api/data_views/swap_references/_preview: post: - description: | - Preview the impact of swapping saved object references from one data view identifier to another. + description: > + Preview the impact of swapping saved object references from one data + view identifier to another. operationId: previewSwapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' @@ -10953,7 +12039,8 @@ paths: application/json: examples: previewSwapDataViewRequest: - $ref: '#/components/examples/Data_views_preview_swap_data_view_request' + $ref: >- + #/components/examples/Data_views_preview_swap_data_view_request schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true @@ -10998,7 +12085,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: @@ -11021,6 +12109,7 @@ paths: summary: Delete an alerts index tags: - Security Detections API + - Alert index API get: operationId: ReadAlertsIndex responses: @@ -11043,7 +12132,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: @@ -11066,6 +12156,7 @@ paths: summary: Reads the alert index name if it exists tags: - Security Detections API + - Alert index API post: operationId: CreateAlertsIndex responses: @@ -11084,7 +12175,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: @@ -11107,12 +12199,17 @@ paths: summary: Create an alerts index tags: - Security Detections API + - Alert index API /api/detection_engine/privileges: get: - description: | - Retrieves whether or not the user is authenticated, and the user's Kibana + description: > + Retrieves whether or not the user is authenticated, and the user's + Kibana + space and index privileges, which determine if the user can create an + index for the Elastic Security alerts generated by + detection engine rules. operationId: ReadPrivileges responses: @@ -11134,7 +12231,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -11145,17 +12243,25 @@ paths: summary: Returns user privileges for the Kibana space tags: - Security Detections API + - Privileges API /api/detection_engine/rules: delete: - description: | + description: > Delete a detection rule using the `rule_id` or `id` field. + The URL query must include one of the following: + * `id` - `DELETE /api/detection_engine/rules?id=` + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. operationId: DeleteRule parameters: - description: The rule's `id` value. @@ -11180,6 +12286,7 @@ paths: summary: Delete a detection rule tags: - Security Detections API + - Rules API x-codeSamples: - lang: cURL source: | @@ -11187,15 +12294,22 @@ paths: --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" get: - description: | + description: > Retrieve a detection rule using the `rule_id` or `id` field. + The URL query must include one of the following: + * `id` - `GET /api/detection_engine/rules?id=` + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. operationId: ReadRule parameters: - description: The rule's `id` value. @@ -11225,7 +12339,10 @@ paths: execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + message: >- + This rule attempted to query data from Elasticsearch + indices listed in the "Index pattern" section of the + rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 @@ -11246,7 +12363,13 @@ paths: language: kuery max_signals: 100 name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 @@ -11282,13 +12405,17 @@ paths: version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: | + description: > Indicates a successful call. + > info - > These fields are under development and their usage or schema may change: execution_summary. + + > These fields are under development and their usage or schema may + change: execution_summary. summary: Retrieve a detection rule tags: - Security Detections API + - Rules API x-codeSamples: - lang: cURL source: | @@ -11296,14 +12423,28 @@ paths: --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" patch: - description: | - Update specific fields of an existing detection rule using the `rule_id` or `id` field. + description: > + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn - > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > When used with [API + key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) + authentication, the user's key gets assigned to the affected rules. If + the user's key gets deleted or the user becomes inactive, the rules will + stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. operationId: PatchRule requestBody: content: @@ -11332,7 +12473,9 @@ paths: summary: Patch threshold rule value: id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + query: >- + agent.version : * and agent.id : + "243d9b4f-ca01-4311-8e5c-9abbee91afd8" threshold: cardinality: [] field: [] @@ -11348,16 +12491,23 @@ paths: summary: Patch esql rule value: id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: | + query: > FROM logs-abc* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) - | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) + + | EVAL event_rate = count / DATE_DIFF("seconds", + min_timestamp, NOW()) + | KEEP event_rate example6: summary: Patch indicator match rule value: id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' + threat_query: >- + @timestamp >= "now-30d/d" and event.module:(threatintel or + ti_*) and threat.indicator.ip:* and not + labels.is_ioc_transform_source:"false" example7: summary: Patch machine learning rule value: @@ -11394,7 +12544,13 @@ paths: language: kuery max_signals: 100 name: Updated Rule Name - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 @@ -11419,62 +12575,144 @@ paths: summary: Patch a detection rule tags: - Security Detections API + - Rules API post: - description: | + description: > Create a new detection rule. + > warn - > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > When used with [API + key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) + authentication, the user's key gets assigned to the affected rules. If + the user's key gets deleted or the user becomes inactive, the rules will + stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + You can create the following types of rules: - * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. - * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. - * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. + + * **Custom query**: Searches the defined indices and creates an alert + when a document matches the rule's KQL query. + + * **Event correlation**: Searches the defined indices and creates an + alert when results match an [Event Query Language + (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) + query. + + * **Threshold**: Searches the defined indices and creates an alert when + the number of times the specified field's value meets the threshold + during a single execution. When there are multiple values that meet the + threshold, an alert is generated for each value. For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. - * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. - * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. + * **Indicator match**: Creates an alert when fields match values defined + in the specified [Elasticsearch + index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). + For example, you can create an index for IP addresses and use this index + to create an alert whenever an event's `destination.ip` equals a value + in the index. The index's field mappings should be + [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + + * **New terms**: Generates an alert for each new term detected in source + documents within a specified time range. + + * **ES|QL**: Uses [Elasticsearch Query Language + (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) + to find events and aggregate search results. + + * **Machine learning rules**: Creates an alert when a machine learning + job discovers an anomaly above the defined threshold. + > info - > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. - To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: + > To create machine learning rules, you must have the [appropriate + license](https://www.elastic.co/subscriptions) or use a [cloud + deployment](https://cloud.elastic.co/registration). Additionally, for + the machine learning rule to function correctly, the associated machine + learning job must be running. + + + To retrieve machine learning job IDs, which are required to create + machine learning jobs, call the [Elasticsearch Get jobs + API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). + Machine learning jobs that contain `siem` in the `groups` field can be + used to create rules: + ```json + ... + "job_id": "linux_anomalous_network_activity_ecs", + "job_type": "anomaly_detector", + "job_version": "7.7.0", + "groups": [ "auditbeat", "process", "siem" ], + ... + ``` - Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: + + Additionally, you can set up notifications for when rules create alerts. + The notifications use the [Alerting and Actions + framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html). + Each action type requires a connector. Connectors store the information + required to send notifications via external systems. The following + connector types are supported for rule notifications: + * Slack + * Email + * PagerDuty + * Webhook + * Microsoft Teams + * IBM Resilient + * Jira + * ServiceNow ITSM + > info - > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). - To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/guide/en/kibana/current/saved-objects-api-find.html) with `"type": "action"` in the request payload. + > For more information on PagerDuty fields, see [Send a v2 + Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + + To retrieve connector IDs, which are required to configure rule + notifications, call the [Find objects + API](https://www.elastic.co/guide/en/kibana/current/saved-objects-api-find.html) + with `"type": "action"` in the request payload. + + + For detailed information on Kibana actions and alerting, and additional + API calls, see: + - For detailed information on Kibana actions and alerting, and additional API calls, see: + * [Alerting + API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) - * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) - * [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html) - * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + * [Alerting and Actions + framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html) + + * [Connectors + API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) operationId: CreateRule requestBody: content: @@ -11496,7 +12734,13 @@ paths: interval: 1h language: kuery name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE related_integrations: - package: o365 version: ^2.3.2 @@ -11511,10 +12755,14 @@ paths: - ms office type: query example2: - description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address + description: >- + Threshold rule that detects multiple failed login attempts to + a Windows host from the same external source IP address summary: Threshold rule value: - description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + description: >- + Detects when there are 20 or more failed login attempts from + the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips @@ -11525,7 +12773,9 @@ paths: - winlogbeat-* interval: 2m name: Windows server prml-19 - query: host.name:prml-19 and event.category:authentication and event.outcome:failure + query: >- + host.name:prml-19 and event.category:authentication and + event.outcome:failure required_fields: - name: source.ip type: ip @@ -11556,7 +12806,11 @@ paths: value: 20 type: threshold example3: - description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. + description: >- + Machine learning rule that creates alerts, and sends Slack + notifications, when the linux_anomalous_network_activity_ecs + machine learning job discovers anomalies with a threshold of + 70 or above. summary: Machine learning rule value: actions: @@ -11582,13 +12836,23 @@ paths: - Linux type: machine_learning example4: - description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections + description: >- + Event correlation rule that creates alerts when the Windows + rundll32.exe process makes unusual network connections summary: EQL rule value: description: Unusual rundll32.exe network connection language: eql name: rundll32.exe network connection - query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + query: >- + sequence by process.entity_id with maxspan=2h [process where + event.type in ("start", "process_started") and (process.name + == "rundll32.exe" or process.pe.original_file_name == + "rundll32.exe") and ((process.args == "rundll32.exe" and + process.args_count == 1) or (process.args != "rundll32.exe" + and process.args_count == 0))] [network where event.type == + "connection" and (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe")] required_fields: - name: event.type type: keyword @@ -11611,12 +12875,18 @@ paths: - rundll32.exe type: eql example5: - description: | - Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. + description: > + Indicator match rule that creates an alert when one of the + following is true: The event's destination IP address and port + number matches destination IP and port values in the + threat_index index; The event's source IP address matches a + host IP address value in the threat_index index. summary: Indicator match rule value: actions: [] - description: Checks for bad IP addresses listed in the ip-threat-list index + description: >- + Checks for bad IP addresses listed in the ip-threat-list + index index: - packetbeat-* name: Bad IP threat match @@ -11647,7 +12917,9 @@ paths: threat_query: '*:*' type: threat_match example6: - description: New terms rule that creates alerts a new IP address is detected for a user + description: >- + New terms rule that creates alerts a new IP address is + detected for a user summary: New terms rule value: description: Detects a user associated with a new IP address @@ -11669,7 +12941,9 @@ paths: severity: medium type: new_terms example7: - description: esql rule that creates alerts from events that match an Excel parent process + description: >- + esql rule that creates alerts from events that match an Excel + parent process summary: Esql rule value: description: Find Excel events @@ -11678,7 +12952,9 @@ paths: interval: 5m language: esql name: Find Excel events - query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" + query: >- + from auditbeat-8.10.2 METADATA _id, _version, _index | where + process.parent.name == "EXCEL.EXE" required_fields: - name: process.parent.name type: keyword @@ -11688,7 +12964,10 @@ paths: to: now type: esql example8: - description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period + description: >- + Query rule that searches for processes started by MS Office + and suppresses alerts by the process.parent.name field within + a 5-hour time period summary: Query rule 2 value: alert_suppression: @@ -11710,7 +12989,13 @@ paths: interval: 1h language: kuery name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE risk_score: 50 rule_id: process_started_by_ms_office_program severity: low @@ -11749,7 +13034,13 @@ paths: language: kuery max_signals: 100 name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 @@ -11828,7 +13119,9 @@ paths: author: [] created_at: '2020-07-22T10:27:23.486Z' created_by: elastic - description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + description: >- + Detects when there are 20 or more failed login attempts + from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips @@ -11844,7 +13137,9 @@ paths: language: kuery max_signals: 100 name: Windows server prml-19 - query: host.name:prml-19 and event.category:authentication and event.outcome:failure + query: >- + host.name:prml-19 and event.category:authentication and + event.outcome:failure references: [] related_integrations: - package: o365 @@ -11904,7 +13199,16 @@ paths: language: eql max_signals: 100 name: rundll32.exe network connection - query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + query: >- + sequence by process.entity_id with maxspan=2h [process + where event.type in ("start", "process_started") and + (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe") and + ((process.args == "rundll32.exe" and process.args_count == + 1) or (process.args != "rundll32.exe" and + process.args_count == 0))] [network where event.type == + "connection" and (process.name == "rundll32.exe" or + process.pe.original_file_name == "rundll32.exe")] references: [] related_integrations: - package: o365 @@ -11952,7 +13256,9 @@ paths: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic - description: Checks for bad IP addresses listed in the ip-threat-list index + description: >- + Checks for bad IP addresses listed in the ip-threat-list + index enabled: true exceptions_list: [] false_positives: [] @@ -12077,7 +13383,9 @@ paths: max_signals: 100 name: Find Excel events output_index: '' - query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" + query: >- + from auditbeat-8.10.2 METADATA _id | where + process.parent.name == "EXCEL.EXE" references: [] related_integrations: - package: o365 @@ -12107,14 +13415,28 @@ paths: tags: - Security Detections API put: - description: | - Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + + The difference between the `id` and `rule_id` is that the `id` is a + unique rule identifier that is randomly generated when a rule is created + and cannot be set, whereas `rule_id` is a stable rule identifier that + can be assigned during rule creation. - The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn - > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > When used with [API + key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) + authentication, the user's key gets assigned to the affected rules. If + the user's key gets deleted or the user becomes inactive, the rules will + stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. operationId: UpdateRule requestBody: content: @@ -12149,7 +13471,9 @@ paths: id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 language: kuery name: New name for threat rule - query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + query: >- + agent.version : * and agent.id : + "243d9b4f-ca01-4311-8e5c-9abbee91afd8" risk_score: 21 severity: low tags: @@ -12180,10 +13504,19 @@ paths: id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd language: esql name: New name for esql rule - query: | + query: > FROM logs* - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ - | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ + + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* + MIN(dateField) finds the earliest timestamp in the dataset. + */ + + | EVAL event_rate = count / DATE_DIFF("seconds", + min_timestamp, NOW()) /* Calculates the event rate by + dividing the total count of events by the time difference + (in seconds) between the earliest event and the current + time. */ + | KEEP event_rate risk_score: 21 severity: low @@ -12209,7 +13542,10 @@ paths: - field: destination.ip type: mapping value: threat.indicator.ip - threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' + threat_query: >- + @timestamp >= "now-30d/d" and event.module:(threatintel or + ti_*) and threat.indicator.ip:* and not + labels.is_ioc_transform_source:"true" type: threat_match example7: summary: Update machine learning rule @@ -12225,9 +13561,11 @@ paths: type: machine_learning schema: $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: | + description: > > info - > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + + > All unspecified fields are deleted. You cannot modify the `id` or + `rule_id` values. required: true responses: '200': @@ -12252,7 +13590,13 @@ paths: language: kuery max_signals: 100 name: Updated Rule Name - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 @@ -12277,27 +13621,62 @@ paths: summary: Update a detection rule tags: - Security Detections API + - Rules API /api/detection_engine/rules/_bulk_action: post: - description: | - Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + description: > + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + + + The edit action allows you to add, delete, or set tags, index patterns, + investigation fields, rule actions and schedules for multiple rules at + once. + + The edit action is idempotent, meaning that if you add a tag to a rule + that already has that tag, no changes are made. The same is true for + other edit actions, for example removing an index pattern that is not + specified in a rule will not result in any changes. The only exception + is the `add_rule_actions` and `set_rule_actions` action, which is + non-idempotent. This means that if you add or set a rule action to a + rule that already has that action, a new action is created with a new + unique ID. - The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. - The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn - > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > When used with [API + key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) + authentication, the user's key gets assigned to the affected rules. If + the user's key gets deleted or the user becomes inactive, the rules will + stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. operationId: PerformRulesBulkAction parameters: - - description: | + - description: > Enables dry run mode for the request call. - Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. - To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. + Enable dry run mode to verify that bulk actions can be applied to + specified rules. Certain rules, such as prebuilt Elastic rules on a + Basic subscription, can’t be edited and will return errors in the + request response. Error details will contain an explanation, the + rule name and/or ID, and additional troubleshooting information. + + + To enable dry run mode on a request, add the query parameter + `dry_run=true` to the end of the request URL. Rules specified in the + request will be temporarily updated. These updates won’t be written + to Elasticsearch. + > info - > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. + + > Dry run mode is not supported for the `export` bulk action. A 400 + error will be returned in the request response. in: query name: dry_run required: false @@ -12328,7 +13707,9 @@ paths: ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example04: - description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + description: >- + The following request duplicates rules with the specified IDs, + including exceptions but not expired exceptions. summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate @@ -12346,7 +13727,9 @@ paths: ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 example06: - description: The following request runs the rule with the specified ID within the given date range. + description: >- + The following request runs the rule with the specified ID + within the given date range. summary: Run - Run a specific rule by ID value: action: run @@ -12356,14 +13739,21 @@ paths: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' example07: - description: The following request exports the rules with the specified IDs. + description: >- + The following request exports the rules with the specified + IDs. summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example08: - description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + description: >- + The following request will validate that the + add_index_patterns bulk action can be successfully applied to + three rules. The dry_run parameter is specified in query + parameters, e.g. POST + api/detection_engine/rules/_bulk_action?dry_run=true summary: Edit - dry run - Validate add_index_patterns bulk action value: action: edit @@ -12376,7 +13766,10 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a - de8f5af0-0831-11ed-ac8b-05a222bd8d4a example09: - description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + description: >- + The following request adds the tag "tag-1" to the rules with + the specified IDs. If the tag already exists for a rule, no + changes are made. summary: Edit - Add a tag to rules (idempotent) value: action: edit @@ -12388,7 +13781,10 @@ paths: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: - description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + description: >- + The following request adds two tags at the same time, tag-1 + and tag-2, to the rules that have the IDs sent in the payload. + If the tags already exist for a rule, no changes are made. summary: Edit - Add two tags to rules (idempotent) value: action: edit @@ -12401,7 +13797,10 @@ paths: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: - description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + description: >- + The following request removes the tag "tag-1" from the rules + with the specified IDs. If the tag does not exist for a rule, + no changes are made. summary: Edit - Delete a tag from rules (idempotent) value: action: edit @@ -12413,7 +13812,11 @@ paths: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: - description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + description: >- + The following request sets the tags "tag-1" and "tag-2" for + the rules with the specified IDs, overwriting any existing + tags. If the set of tags is the same as the existing tags, no + changes are made. summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit @@ -12426,7 +13829,10 @@ paths: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: - description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + description: >- + The following request adds the index pattern "test-*" to the + rules with the specified IDs. If the index pattern already + exists for a rule, no changes are made. summary: Edit - Add index patterns to rules (idempotent) value: action: edit @@ -12438,7 +13844,10 @@ paths: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: - description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + description: >- + The following request removes the index pattern "test-*" from + the rules with the specified IDs. If the index pattern does + not exist for a rule, no changes are made. summary: Edit - Remove index patterns from rules (idempotent) value: action: edit @@ -12450,8 +13859,14 @@ paths: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: - description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. - summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + description: >- + The following request sets the index patterns "test-*" and + "prod-*" for the rules with the specified IDs, overwriting any + existing index patterns. If the set of index patterns is the + same as the existing index patterns, no changes are made. + summary: >- + Edit - Set (overwrite existing) index patterns for rules + patterns (idempotent) value: action: edit edit: @@ -12462,7 +13877,9 @@ paths: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: - description: The following request adds investigation field to the rules with the specified IDs. + description: >- + The following request adds investigation field to the rules + with the specified IDs. summary: Edit - Add investigation field to rules value: action: edit @@ -12475,7 +13892,10 @@ paths: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example17: - description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + description: >- + The following request deletes investigation fields from the + rules with the specified IDs. If the field does not exist for + a rule, no changes are made. summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit @@ -12488,8 +13908,14 @@ paths: - field1 - field2 example18: - description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. - summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + description: >- + The following request sets investigation fields for the rules + with the specified IDs, overwriting any existing investigation + fields. If the set of investigation fields is the same as the + existing investigation fields, no changes are made. + summary: >- + Edit - Set (overwrite existing) investigation fields for rules + (idempotent) value: action: edit edit: @@ -12501,8 +13927,13 @@ paths: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example19: - description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + description: >- + The following request sets a timeline template for the rules + with the specified IDs. If the same timeline template is + already set for a rule, no changes are made. + summary: >- + Edit - Set (overwrite existing) timeline template for rules + (idempotent) value: action: edit edit: @@ -12513,8 +13944,13 @@ paths: ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example20: - description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + description: >- + The following request sets a schedule for the rules with the + specified IDs. If the same schedule is already set for a rule, + no changes are made. + summary: >- + Edit - Set (overwrite existing) schedule for rules + (idempotent) value: action: edit edit: @@ -12525,7 +13961,9 @@ paths: ids: - 99887766-5544-3322-1100-aabbccddeeff example21: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit @@ -12540,8 +13978,12 @@ paths: ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: - description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. - summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + description: >- + The following request sets rule actions for the rules with the + specified IDs. Each action receives its own unique ID. + summary: >- + Edit - Set (overwrite existing) rule actions for rules + (non-idempotent) value: action: edit edit: @@ -12555,7 +13997,9 @@ paths: ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a webhook connector value: action: edit @@ -12570,7 +14014,9 @@ paths: ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for an email connector value: action: edit @@ -12587,7 +14033,9 @@ paths: ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a slack connector value: action: edit @@ -12602,7 +14050,9 @@ paths: ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: - description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit @@ -12616,17 +14066,20 @@ paths: eventAction: trigger severity: critical summary: The message body - timestamp: '2023-10-31T00:00:00.000Z' + timestamp: 2023-10-31T00:00:00.000Z ids: - 9e946bfc-3118-4c77-bb25-67d781191921 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDisableRules - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Detections_API_BulkManualRuleRun - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' responses: '200': @@ -12634,7 +14087,10 @@ paths: application/json: examples: example01: - description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. + description: >- + In this response one rule was updated and one was skipped. + Objects returned in attributes.results.skipped will only + include rules' id, name, and skip_reason. summary: Successful response value: attributes: @@ -12651,13 +14107,25 @@ paths: - Elastic created_at: '2022-02-21T14:14:13.801Z' created_by: elastic - description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. + description: >- + A machine learning job detected unusually large + numbers of DNS queries for a single top-level DNS + domain, which is often used for DNS tunneling. DNS + tunneling can be used for command-and-control, + persistence, or data exfiltration activity. For + example, dnscat tends to generate many DNS + questions for a top-level domain as it uses the + DNS protocol to tunnel data. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but + no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 @@ -12665,7 +14133,11 @@ paths: status: partial failure status_order: 20 false_positives: - - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. + - >- + DNS domains that use large numbers of child + domains, such as software or content + distribution networks, can trigger this alert + and such parent domains can be excluded. from: now-45m id: 8bc7dad0-9320-11ec-9265-8b772383a08d immutable: false @@ -12676,7 +14148,8 @@ paths: max_signals: 100 name: DNS Tunneling [Duplicate] references: - - https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + - >- + https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html related_integrations: [] required_fields: [] risk_score: 21 @@ -12704,13 +14177,19 @@ paths: rules_count: 1 success: true example02: - description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). + description: >- + If processing of any rule fails, a partial error outputs the + ID and/or name of the affected rule and the corresponding + error, as well as successfully processed rules (in the same + format as a successful 200 request). summary: Partial failure value: value: attributes: errors: - - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property + - message: >- + Index patterns can't be added. Machine learning + rule doesn't have index patterns property rules: - id: 8bc7dad0-9320-11ec-9265-8b772383a08d name: DNS Tunneling [Duplicate] @@ -12725,13 +14204,21 @@ paths: - Elastic created_at: '2022-02-21T14:14:17.883Z' created_by: elastic - description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + description: >- + Generates a detection alert for each external + alert written to the configured indices. + Enabling this rule allows you to immediately + begin investigating external alerts in the app. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but + no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 @@ -12756,8 +14243,9 @@ paths: license: Elastic License v2 max_signals: 10000 name: External Alerts [Duplicate] - query: | - event.kind:alert and not event.module:(endgame or endpoint) + query: > + event.kind:alert and not event.module:(endgame + or endpoint) references: [] related_integrations: [] required_fields: [] @@ -12811,7 +14299,15 @@ paths: status_code: 500 success: false example03: - description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. + description: >- + The attributes.errors section of the response shows that two + rules failed to update and one succeeded. The same results + would be returned if you ran the request without dry run + mode enabled. Notice that there are no arrays in + attributes.results. In dry run mode, rule updates are not + applied and saved to Elasticsearch, so the endpoint wouldn’t + return results for rules that have been updated, created, or + deleted. summary: Dry run value: attributes: @@ -12841,7 +14337,11 @@ paths: message: Bulk edit partially failed status_code: 500 example04: - description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + description: >- + This example presents the successful setting of tags for 2 + rules. There was a difference between the set of tags that + were being added and the tags that were already set in the + rules, that's why the rules were updated. summary: Set tags successsully for 2 rules value: attributes: @@ -12938,7 +14438,8 @@ paths: investigation_fields: field_names: - alert.status - - Endpoint.policy.applied.artifacts.global.channel + - >- + Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 @@ -12979,7 +14480,11 @@ paths: rules_count: 2 success: true example05: - description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + description: >- + This example presents the idempotent behavior of the edit + action with set_tags request. Both rules already had exactly + the same tags that were being added, so no changes were made + in any of them. summary: Idempotent behavior of set_tags value: attributes: @@ -13002,7 +14507,11 @@ paths: rules_count: 2 success: true example06: - description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + description: >- + This example presents the idempotent behavior of the edit + action with add_tags request. One rule was updated and one + was skipped. The rule that was skipped already had all the + tags that were being added. summary: Idempotent behavior of add_tags value: attributes: @@ -13050,7 +14559,8 @@ paths: investigation_fields: field_names: - alert.status - - Endpoint.policy.applied.artifacts.global.channel + - >- + Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 @@ -13092,7 +14602,11 @@ paths: rules_count: 2 success: true example07: - description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + description: >- + This example shows a non-idempotent nature of the + set_rule_actions requests. Regardless if the actions are the + same as the existing actions for a rule, the actions are + always set in the rule and receive a new unique ID. summary: Non-idempotent behavior for set_rule_actions value: attributes: @@ -13137,7 +14651,8 @@ paths: investigation_fields: field_names: - alert.status - - Endpoint.policy.applied.artifacts.global.channel + - >- + Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 @@ -13179,7 +14694,11 @@ paths: rules_count: 1 success: true example08: - description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + description: >- + This example shows a non-idempotent nature of the + add_rule_actions requests. Regardless if the added action is + the same as another existing action for a rule, the new + action is added to the rule and receives a new unique ID. summary: Non-idempotent behavior for add_rule_actions value: attributes: @@ -13267,24 +14786,38 @@ paths: success: true schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResponse + - $ref: >- + #/components/schemas/Security_Detections_API_BulkExportActionResponse description: OK summary: Apply a bulk action to detection rules tags: - Security Detections API + - Bulk API /api/detection_engine/rules/_bulk_create: post: deprecated: true - description: | + description: > Create new detection rules in bulk. + > warn + > This API is deprecated and will be removed in Kibana v9.0. + > warn - > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > When used with [API + key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) + authentication, the user's key gets assigned to the affected rules. If + the user's key gets deleted or the user becomes inactive, the rules will + stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. operationId: BulkCreateRules requestBody: content: @@ -13304,7 +14837,13 @@ paths: interval: 5m language: kuery name: MS Office child process - query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + query: >- + process.parent.name:EXCEL.EXE or + process.parent.name:MSPUB.EXE or + process.parent.name:OUTLOOK.EXE or + process.parent.name:POWERPNT.EXE or + process.parent.name:VISIO.EXE or + process.parent.name:WINWORD.EXE risk_score: 50 rule_id: process_started_by_ms_office_program_possible_payload severity: low @@ -13331,11 +14870,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse description: Indicates a successful call. summary: Create multiple detection rules tags: - Security Detections API + - Bulk API /api/detection_engine/rules/_bulk_delete: delete: deprecated: true @@ -13359,30 +14900,37 @@ paths: id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId type: array - description: A JSON array of `id` or `rule_id` fields of the rules you want to delete. + description: >- + A JSON array of `id` or `rule_id` fields of the rules you want to + delete. required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse description: Indicates a successful call. '400': content: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -13393,6 +14941,7 @@ paths: summary: Delete multiple detection rules tags: - Security Detections API + - Bulk API post: deprecated: true description: | @@ -13415,30 +14964,37 @@ paths: id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId type: array - description: A JSON array of `id` or `rule_id` fields of the rules you want to delete. + description: >- + A JSON array of `id` or `rule_id` fields of the rules you want to + delete. required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse description: Indicates a successful call. '400': content: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -13449,18 +15005,31 @@ paths: summary: Delete multiple detection rules tags: - Security Detections API + - Bulk API /api/detection_engine/rules/_bulk_update: patch: deprecated: true - description: | - Update specific fields of existing detection rules using the `rule_id` or `id` field. + description: > + Update specific fields of existing detection rules using the `rule_id` + or `id` field. + > warn + > This API is deprecated and will be removed in Kibana v9.0. + > warn - > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > When used with [API + key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) + authentication, the user's key gets assigned to the affected rules. If + the user's key gets deleted or the user becomes inactive, the rules will + stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. operationId: BulkPatchRules requestBody: content: @@ -13492,22 +15061,36 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse description: Indicates a successful call. summary: Patch multiple detection rules tags: - Security Detections API + - Bulk API put: deprecated: true - description: | - Update multiple detection rules using the `rule_id` or `id` field. The original rules are replaced, and all unspecified fields are deleted. + description: > + Update multiple detection rules using the `rule_id` or `id` field. The + original rules are replaced, and all unspecified fields are deleted. + > warn + > This API is deprecated and will be removed in Kibana v9.0. + > warn - > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > When used with [API + key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) + authentication, the user's key gets assigned to the affected rules. If + the user's key gets deleted or the user becomes inactive, the rules will + stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. operationId: BulkUpdateRules requestBody: content: @@ -13515,7 +15098,11 @@ paths: examples: example1: value: - - description: Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account. + - description: >- + Detects when a previously suspended user's account is + renewed in Google Workspace. An adversary may renew a + suspended user account to maintain access to the Google + Workspace organization with a valid account. id: 7d2f5ed8-6c05-44ab-81ce-9160ae147057 name: Updated Google Workspace Suspended User Account Renewed risk_score: 21 @@ -13523,7 +15110,13 @@ paths: tags: - new_tag type: query - - description: Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. + - description: >- + Identifies the creation of an Amazon Redshift cluster. + Unexpected creation of this cluster by a + non-administrative user may indicate a permission or role + issue with current users. If unexpected, the resource may + not properly be configured and could introduce security + vulnerabilities. id: 43b2dc3b-4f21-4a10-95e2-0dbc19e6e974 name: Updated AWS Redshift Cluster Creation risk_score: 21 @@ -13535,33 +15128,61 @@ paths: items: $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' type: array - description: | - A JSON array where each element includes the `id` or `rule_id` field of the rule you want to update and the fields you want to be specified in this rule. + description: > + A JSON array where each element includes the `id` or `rule_id` field + of the rule you want to update and the fields you want to be specified + in this rule. + > info - > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + + > All unspecified fields are deleted. You cannot modify the `id` or + `rule_id` values. required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse description: Indicates a successful call. summary: Update multiple detection rules tags: - Security Detections API + - Bulk API /api/detection_engine/rules/_export: post: - description: | - Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info - > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. - > You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + > Rule actions and connectors are included in the exported file, but + sensitive information about the connector (such as authentication + credentials) is not included. You must re-add missing connector details + after importing detection rules. + + + > You can use Kibana’s [Saved + Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) + UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs + (experimental) to + [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) + and + [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) + any necessary connectors before importing detection rules. - > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + + > Similarly, any value lists used for rule exceptions are not included + in rule exports or imports. Use the [Manage value + lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) + UI (Rules → Detection rules (SIEM) → Manage value lists) to export and + import value lists separately. operationId: ExportRules parameters: - description: Determines whether a summary of the exported rules is returned. @@ -13571,10 +15192,13 @@ paths: schema: default: false type: boolean - - description: | + - description: > File name for saving the exported rules. + > info - > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. + + > When using cURL to export rules to a file, use the -O and -J + options to save the rules to the file name specified in the URL. in: query name: file_name required: false @@ -13589,12 +15213,15 @@ paths: type: object properties: objects: - description: Array of `rule_id` fields. Exports all rules when unspecified. + description: >- + Array of `rule_id` fields. Exports all rules when + unspecified. items: type: object properties: rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId required: - rule_id type: array @@ -13606,20 +15233,27 @@ paths: content: application/ndjson: schema: - description: | + description: > An `.ndjson` file containing the returned rules. - Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + + Each line in the file represents an object (a rule, exception + list parent container, or exception list item), and the last + line includes a summary of what was exported. format: binary type: string description: Indicates a successful call. summary: Export detection rules tags: - Security Detections API + - Import/Export API x-codeSamples: - lang: cURL - source: | - curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + source: > + curl -X POST + "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" + -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + { "objects": [ { @@ -13632,7 +15266,9 @@ paths: } /api/detection_engine/rules/_find: get: - description: Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. operationId: FindRules parameters: - in: query @@ -13642,18 +15278,30 @@ paths: items: type: string type: array - - description: | + - description: > Search query - Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: + + Filters the returned results according to the value of the specified + field, using the alert.attributes.: syntax, + where can be: + - name + - enabled + - tags + - createdBy + - interval + - updatedBy + > info - > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. + + > Even though the JSON rule object uses created_by and updated_by + fields, you must use createdBy and updatedBy fields in the filter. in: query name: filter required: false @@ -13709,12 +15357,20 @@ paths: data: - created_at: '2020-02-02T10:05:19.613Z' created_by: elastic - description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + description: >- + Identifies a PowerShell process launched by either + cscript.exe or wscript.exe. Observing Windows + scripting processes executing a PowerShell script, may + be indicative of malicious activity. enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' - message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + message: >- + This rule attempted to query data from + Elasticsearch indices listed in the "Index + pattern" section of the rule definition, but no + matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 @@ -13731,7 +15387,10 @@ paths: language: kuery max_signals: 33 name: Windows Script Executing PowerShell - query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' + query: >- + event.action:"Process Create (rule: ProcessCreate)" + and process.parent.name:("wscript.exe" or + "cscript.exe") and process.name:"powershell.exe" references: [] related_integrations: - package: o365 @@ -13775,7 +15434,8 @@ paths: properties: data: items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + $ref: >- + #/components/schemas/Security_Detections_API_RuleResponse type: array page: type: integer @@ -13788,53 +15448,104 @@ paths: - perPage - total - data - description: | + description: > Successful response + > info - > These fields are under development and their usage or schema may change: execution_summary. + + > These fields are under development and their usage or schema may + change: execution_summary. summary: List all detection rules tags: - Security Detections API + - Rules API x-codeSamples: - lang: cURL - source: | - curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' + source: > + curl -X GET + "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" + -H 'kbn-xsrf: true' /api/detection_engine/rules/_import: post: - description: | - Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. + > warn - > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. - > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > When used with [API + key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) + authentication, the user's key gets assigned to the affected rules. If + the user's key gets deleted or the user becomes inactive, the rules will + stop running. + + + > If the API key that is used for authorization has different privileges + than the key that created or most recently updated the rule, the rule + behavior might change. + > info - > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for more information. + + > To import rules with actions, you need at least Read privileges for + the Action and Connectors feature. To overwrite or add new connectors, + you need All privileges for the Actions and Connectors feature. To + import rules without actions, you don’t need Actions and Connectors + privileges. Refer to [Enable and access + detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) + for more information. + > info - > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. - > You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + > Rule actions and connectors are included in the exported file, but + sensitive information about the connector (such as authentication + credentials) is not included. You must re-add missing connector details + after importing detection rules. + + + > You can use Kibana’s [Saved + Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) + UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs + (experimental) to + [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) + and + [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) + any necessary connectors before importing detection rules. - > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + + > Similarly, any value lists used for rule exceptions are not included + in rule exports or imports. Use the [Manage value + lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) + UI (Rules → Detection rules (SIEM) → Manage value lists) to export and + import value lists separately. operationId: ImportRules parameters: - - description: Determines whether existing rules with the same `rule_id` are overwritten. + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. in: query name: overwrite required: false schema: default: false type: boolean - - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. Both the exception list container and its items are + overwritten. in: query name: overwrite_exceptions required: false schema: default: false type: boolean - - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. in: query name: overwrite_action_connectors required: false @@ -13889,7 +15600,8 @@ paths: type: integer action_connectors_warnings: items: - $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + $ref: >- + #/components/schemas/Security_Detections_API_WarningSchema type: array errors: items: @@ -13928,6 +15640,7 @@ paths: summary: Import detection rules tags: - Security Detections API + - Import/Export API x-codeSamples: - lang: cURL source: | @@ -13954,7 +15667,8 @@ paths: properties: items: items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps type: array required: - items @@ -13966,7 +15680,8 @@ paths: application/json: schema: items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem type: array description: Successful response '400': @@ -13974,20 +15689,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '500': content: @@ -14000,18 +15719,33 @@ paths: - Security Exceptions API /api/detection_engine/rules/prepackaged: put: - description: | + description: > Install and update all Elastic prebuilt detection rules and Timelines. - This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. + + This endpoint allows you to install and update prebuilt detection rules + and Timelines provided by Elastic. + When you call this endpoint, it will: - - Install any new prebuilt detection rules that are not currently installed in your system. - - Update any existing prebuilt detection rules that have been modified or improved by Elastic. - - Install any new prebuilt Timelines that are not currently installed in your system. - - Update any existing prebuilt Timelines that have been modified or improved by Elastic. - This ensures that your detection engine is always up-to-date with the latest rules and Timelines, - providing you with the most current and effective threat detection capabilities. + - Install any new prebuilt detection rules that are not currently + installed in your system. + + - Update any existing prebuilt detection rules that have been modified + or improved by Elastic. + + - Install any new prebuilt Timelines that are not currently installed in + your system. + + - Update any existing prebuilt Timelines that have been modified or + improved by Elastic. + + + This ensures that your detection engine is always up-to-date with the + latest rules and Timelines, + + providing you with the most current and effective threat detection + capabilities. operationId: InstallPrebuiltRulesAndTimelines responses: '200': @@ -14053,12 +15787,19 @@ paths: summary: Install prebuilt detection rules and Timelines tags: - Security Detections API + - Prebuilt Rules API /api/detection_engine/rules/prepackaged/_status: get: - description: | - Retrieve the status of all Elastic prebuilt detection rules and Timelines. + description: > + Retrieve the status of all Elastic prebuilt detection rules and + Timelines. + - This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines. + This endpoint provides detailed information about the number of custom + rules, installed prebuilt rules, available prebuilt rules that are not + installed, outdated prebuilt rules, installed prebuilt timelines, + available prebuilt timelines that are not installed, and outdated + prebuilt timelines. operationId: ReadPrebuiltRulesAndTimelinesStatus responses: '200': @@ -14087,7 +15828,9 @@ paths: minimum: 0 type: integer rules_not_installed: - description: The total number of available prebuilt rules that are not installed + description: >- + The total number of available prebuilt rules that are not + installed minimum: 0 type: integer rules_not_updated: @@ -14099,7 +15842,9 @@ paths: minimum: 0 type: integer timelines_not_installed: - description: The total number of available prebuilt timelines that are not installed + description: >- + The total number of available prebuilt timelines that are + not installed minimum: 0 type: integer timelines_not_updated: @@ -14118,11 +15863,14 @@ paths: summary: Retrieve the status of prebuilt detection rules and Timelines tags: - Security Detections API + - Prebuilt Rules API /api/detection_engine/rules/preview: post: operationId: RulePreview parameters: - - description: Enables logging and returning in response ES queries, performed during rule execution + - description: >- + Enables logging and returning in response ES queries, performed + during rule execution in: query name: enable_logged_requests required: false @@ -14134,32 +15882,50 @@ paths: schema: anyOf: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - $ref: >- + #/components/schemas/Security_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams - allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams - allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams - allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams - allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams - allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams - allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - $ref: >- + #/components/schemas/Security_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams discriminator: propertyName: type - description: An object containing tags to add or remove and alert ids the changes will be applied + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied required: true responses: '200': @@ -14172,10 +15938,12 @@ paths: type: boolean logs: items: - $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLogs type: array previewId: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + $ref: >- + #/components/schemas/Security_Detections_API_NonEmptyString required: - logs description: Successful response @@ -14184,14 +15952,17 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -14202,6 +15973,7 @@ paths: summary: Preview rule alerts generated on specified time range tags: - Security Detections API + - Rule preview API /api/detection_engine/signals/assignees: post: description: | @@ -14236,9 +16008,13 @@ paths: /api/detection_engine/signals/finalize_migration: post: deprecated: true - description: | - Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. - The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, + description: > + Finalize successful migrations of detection alerts. This replaces the + original index's alias with the successfully migrated index's alias. + + The endpoint is idempotent; therefore, it can safely be used to poll a + given migration and, upon completion, + finalize it. operationId: FinalizeAlertsMigration requestBody: @@ -14262,7 +16038,8 @@ paths: application/json: schema: items: - $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' + $ref: >- + #/components/schemas/Security_Detections_API_MigrationFinalizationResult type: array description: Successful response '400': @@ -14270,14 +16047,17 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -14288,17 +16068,27 @@ paths: summary: Finalize detection alert migrations tags: - Security Detections API + - Alerts migration API /api/detection_engine/signals/migration: delete: deprecated: true - description: | - Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of - the migration process. A successful migration will result in both the old and new indices being present. + description: > + Migrations favor data integrity over shard size. Consequently, unused or + orphaned indices are artifacts of + + the migration process. A successful migration will result in both the + old and new indices being present. + As such, the old, orphaned index can (and likely should) be deleted. + While you can delete these indices manually, - the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted - after 30 days. It also deletes other artifacts specific to the migration implementation. + + the endpoint accomplishes this task by applying a deletion policy to the + relevant index, causing it to be deleted + + after 30 days. It also deletes other artifacts specific to the migration + implementation. operationId: AlertsMigrationCleanup requestBody: content: @@ -14321,7 +16111,8 @@ paths: application/json: schema: items: - $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' + $ref: >- + #/components/schemas/Security_Detections_API_MigrationCleanupResult type: array description: Successful response '400': @@ -14329,14 +16120,17 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -14347,11 +16141,16 @@ paths: summary: Clean up detection alert migrations tags: - Security Detections API + - Alerts migration API post: deprecated: true - description: | + description: > Initiate a migration of detection alerts. - Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. + + Migrations are initiated per index. While the process is neither + destructive nor interferes with existing data, it may be + resource-intensive. As such, it is recommended that you plan your + migrations accordingly. operationId: CreateAlertsMigration requestBody: content: @@ -14362,12 +16161,14 @@ paths: properties: index: items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + $ref: >- + #/components/schemas/Security_Detections_API_NonEmptyString minItems: 1 type: array required: - index - - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsReindexOptions description: Alerts migration parameters required: true responses: @@ -14380,9 +16181,12 @@ paths: indices: items: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' - - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' - - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexMigrationError + - $ref: >- + #/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration type: array required: - indices @@ -14392,14 +16196,17 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -14410,10 +16217,13 @@ paths: summary: Initiate a detection alert migration tags: - Security Detections API + - Alerts migration API /api/detection_engine/signals/migration_status: post: deprecated: true - description: Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. + description: >- + Retrieve indices that contain detection alerts of a particular age, + along with migration information for each of those indices. operationId: ReadAlertsMigrationStatus parameters: - description: Maximum age of qualifying detection alerts @@ -14421,9 +16231,12 @@ paths: name: from required: true schema: - description: | - Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes - before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + description: > + Time from which data is analyzed. For example, now-4200s means the + rule analyzes data from 70 minutes + + before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). format: date-math type: string responses: @@ -14435,7 +16248,8 @@ paths: properties: indices: items: - $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' + $ref: >- + #/components/schemas/Security_Detections_API_IndexMigrationStatus type: array required: - indices @@ -14445,14 +16259,17 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -14463,6 +16280,7 @@ paths: summary: Retrieve the status of detection alert migrations tags: - Security Detections API + - Alerts migration API /api/detection_engine/signals/search: post: description: Find and/or aggregate detection alerts that match the given query. @@ -14517,14 +16335,17 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -14535,6 +16356,7 @@ paths: summary: Find and/or aggregate detection alerts tags: - Security Detections API + - Alerts API /api/detection_engine/signals/status: post: description: Set the status of one or more detection alerts. @@ -14544,9 +16366,13 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' - - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' - description: An object containing desired status and explicit alert ids or a query to select alerts + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts required: true responses: '200': @@ -14562,14 +16388,17 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -14580,6 +16409,7 @@ paths: summary: Set a detection alert status tags: - Security Detections API + - Alerts API /api/detection_engine/signals/tags: post: description: | @@ -14600,7 +16430,9 @@ paths: required: - ids - tags - description: An object containing tags to add or remove and alert ids the changes will be applied + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied required: true responses: '200': @@ -14616,14 +16448,17 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse description: Unsuccessful authentication response '500': content: @@ -14634,6 +16469,7 @@ paths: summary: Add and remove detection alert tags tags: - Security Detections API + - Alerts API /api/detection_engine/tags: get: description: List all unique tags from all detection rules. @@ -14659,26 +16495,45 @@ paths: summary: List all detection rule tags tags: - Security Detections API + - Tags API /api/encrypted_saved_objects/_rotate_key: post: - description: | + description: > Superuser role required. - If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. - This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + If a saved object cannot be decrypted using the primary encryption key, + then Kibana will attempt to decrypt it using the specified + decryption-only keys. In most of the cases this overhead is negligible, + but if you're dealing with a large number of saved objects and + experiencing performance issues, you may want to rotate the encryption + key. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. operationId: rotateEncryptionKey parameters: - - description: | - Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. + - description: > + Specifies a maximum number of saved objects that Kibana can process + in a single batch. Bulk key rotation is an iterative process since + Kibana may not be able to fetch and process all required saved + objects in one go and splits processing into consequent batches. By + default, the batch size is 10000, which is also a maximum allowed + value. in: query name: batch_size required: false schema: default: 10000 type: number - - description: | - Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. + - description: > + Limits encryption key rotation only to the saved objects with the + specified type. By default, Kibana tries to rotate the encryption + key for all saved object types that may contain encrypted + attributes. in: query name: type required: false @@ -14695,18 +16550,28 @@ paths: type: object properties: failed: - description: | - Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. + description: > + Indicates the number of the saved objects that were still + encrypted with one of the old encryption keys that Kibana + failed to re-encrypt with the primary key. type: number successful: - description: | - Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. - NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. + + NOTE: In most cases, `total` will be greater than + `successful` even if `failed` is zero. The reason is that + Kibana may not need or may not be able to rotate + encryption keys for all encrypted saved objects. type: number total: - description: | - Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. type: number description: Indicates a successful call. '400': @@ -14726,47 +16591,58 @@ paths: - saved objects /api/endpoint_list: post: - description: Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned. + description: >- + Create an endpoint exception list, which groups endpoint exception list + items. If an endpoint exception list already exists, an empty response + is returned. operationId: CreateEndpointList responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList description: Successful response '400': content: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Invalid input data '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Insufficient privileges '500': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Internal server error summary: Create an endpoint exception list tags: - Security Endpoint Exceptions API /api/endpoint_list/items: delete: - description: Delete an endpoint exception list item using the `id` or `item_id` field. + description: >- + Delete an endpoint exception list item using the `id` or `item_id` + field. operationId: DeleteEndpointListItem parameters: - description: Either `id` or `item_id` must be specified @@ -14774,57 +16650,68 @@ paths: name: id required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem description: Successful response '400': content: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Invalid input data '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Insufficient privileges '404': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Endpoint list item not found '500': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Internal server error summary: Delete an endpoint exception list item tags: - Security Endpoint Exceptions API get: - description: Get the details of an endpoint exception list item using the `id` or `item_id` field. + description: >- + Get the details of an endpoint exception list item using the `id` or + `item_id` field. operationId: ReadEndpointListItem parameters: - description: Either `id` or `item_id` must be specified @@ -14832,20 +16719,23 @@ paths: name: id required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': content: application/json: schema: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem type: array description: Successful response '400': @@ -14853,38 +16743,46 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Invalid input data '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Insufficient privileges '404': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Endpoint list item not found '500': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Internal server error summary: Get an endpoint exception list item tags: - Security Endpoint Exceptions API post: - description: Create an endpoint exception list item, and associate it with the endpoint exception list. + description: >- + Create an endpoint exception list item, and associate it with the + endpoint exception list. operationId: CreateEndpointListItem requestBody: content: @@ -14893,26 +16791,35 @@ paths: type: object properties: comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray default: [] description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray default: [] tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags default: [] type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType required: - type - name @@ -14925,45 +16832,54 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem description: Successful response '400': content: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Invalid input data '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Insufficient privileges '409': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Endpoint list item already exists '500': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Internal server error summary: Create an endpoint exception list item tags: - Security Endpoint Exceptions API put: - description: Update an endpoint exception list item using the `id` or `item_id` field. + description: >- + Update an endpoint exception list item using the `id` or `item_id` + field. operationId: UpdateEndpointListItem requestBody: content: @@ -14974,29 +16890,39 @@ paths: _version: type: string comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray default: [] description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId description: Either `id` or `item_id` must be specified item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId description: Either `id` or `item_id` must be specified meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray default: [] tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType required: - type - name @@ -15009,39 +16935,46 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem description: Successful response '400': content: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Invalid input data '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Insufficient privileges '404': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Endpoint list item not found '500': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Internal server error summary: Update an endpoint exception list item tags: @@ -15051,14 +16984,17 @@ paths: description: Get a list of all endpoint exception list items. operationId: FindEndpointListItems parameters: - - description: | - Filters the returned results according to the value of the specified field, + - description: > + Filters the returned results according to the value of the specified + field, + using the `:` syntax. in: query name: filter required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - description: The page number to return in: query name: page @@ -15078,7 +17014,8 @@ paths: name: sort_field required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order @@ -15097,7 +17034,8 @@ paths: properties: data: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem type: array page: minimum: 0 @@ -15121,32 +17059,38 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Invalid input data '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse description: Insufficient privileges '404': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Endpoint list not found '500': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse description: Internal server error summary: Get endpoint exception list items tags: @@ -15211,7 +17155,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse description: OK summary: Get response actions tags: @@ -15231,13 +17176,15 @@ paths: name: query required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionLogRequestQuery' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionLogRequestQuery responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK summary: Get an action request log tags: @@ -15260,7 +17207,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse description: OK summary: Get response actions status tags: @@ -15282,7 +17230,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse description: OK summary: Get action details tags: @@ -15307,7 +17256,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK summary: Get file information tags: @@ -15332,7 +17282,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK summary: Download a file tags: @@ -15345,14 +17296,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse description: OK summary: Run a command tags: @@ -15365,21 +17318,25 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse description: OK summary: Get a file tags: - Security Endpoint Management API /api/endpoint/action/isolate: post: - description: Isolate an endpoint from the network. The endpoint remains isolated until it's released. + description: >- + Isolate an endpoint from the network. The endpoint remains isolated + until it's released. operationId: EndpointIsolateAction requestBody: content: @@ -15394,7 +17351,9 @@ paths: - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a single_endpoint: - summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + summary: >- + Isolates a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 @@ -15411,17 +17370,23 @@ paths: type: object properties: agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AlertIds case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CaseIds comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters required: - endpoint_ids required: true @@ -15430,7 +17395,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse description: OK summary: Isolate an endpoint tags: @@ -15443,14 +17409,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse description: OK summary: Terminate a process tags: @@ -15463,14 +17431,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse description: OK summary: Get running processes tags: @@ -15483,14 +17453,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK summary: Run a script tags: @@ -15503,28 +17475,33 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse description: OK summary: Scan a file or directory tags: - Security Endpoint Management API /api/endpoint/action/state: get: - description: Get a response actions state, which reports whether encryption is enabled. + description: >- + Get a response actions state, which reports whether encryption is + enabled. operationId: EndpointGetActionsState responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse description: OK summary: Get actions state tags: @@ -15537,14 +17514,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse description: OK summary: Suspend a process tags: @@ -15566,7 +17545,9 @@ paths: - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a singleHost: - summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + summary: >- + Releases a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 @@ -15583,17 +17564,23 @@ paths: type: object properties: agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AlertIds case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CaseIds comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters required: - endpoint_ids required: true @@ -15602,7 +17589,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse description: OK summary: Release an isolated endpoint tags: @@ -15615,14 +17603,16 @@ paths: content: multipart/form-data: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse description: OK summary: Upload a file tags: @@ -15630,10 +17620,13 @@ paths: /api/endpoint/isolate: post: deprecated: true - description: | + description: > Isolate an endpoint from the network. + > info - > This URL will return a 308 permanent redirect to `POST :/api/endpoint/action/isolate`. + + > This URL will return a 308 permanent redirect to `POST :/api/endpoint/action/isolate`. operationId: EndpointIsolateRedirect requestBody: content: @@ -15642,17 +17635,23 @@ paths: type: object properties: agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AlertIds case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CaseIds comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters required: - endpoint_ids required: true @@ -15661,7 +17660,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK '308': description: Permanent Redirect @@ -15707,13 +17707,15 @@ paths: name: sortDirection required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SortDirection responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse description: OK summary: Get a metadata list tags: @@ -15733,7 +17735,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse description: OK summary: Get metadata tags: @@ -15747,7 +17750,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK summary: Get metadata transforms tags: @@ -15769,7 +17773,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK summary: Get a policy response tags: @@ -15795,7 +17800,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK summary: Get an agent policy summary tags: @@ -15814,7 +17820,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse description: OK summary: Get a protection updates note tags: @@ -15841,7 +17848,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse description: OK summary: Create or update a protection updates note tags: @@ -15878,7 +17886,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK summary: Get suggestions tags: @@ -15886,10 +17895,13 @@ paths: /api/endpoint/unisolate: post: deprecated: true - description: | + description: > Release an isolated endpoint, allowing it to rejoin a network. + > info - > This URL will return a 308 permanent redirect to `POST :/api/endpoint/action/unisolate`. + + > This URL will return a 308 permanent redirect to `POST :/api/endpoint/action/unisolate`. operationId: EndpointUnisolateRedirect requestBody: content: @@ -15898,17 +17910,23 @@ paths: type: object properties: agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AlertIds case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CaseIds comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters required: - endpoint_ids required: true @@ -15917,7 +17935,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK '308': description: Permanent Redirect @@ -15951,7 +17970,8 @@ paths: $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' entityTypes: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType type: array fieldHistoryLength: default: 10 @@ -15965,10 +17985,13 @@ paths: pattern: '[smdh]$' type: string indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern lookbackPeriod: default: 24h - description: The amount of time the transform looks back to calculate the aggregations. + description: >- + The amount of time the transform looks back to calculate the + aggregations. pattern: '[smdh]$' type: string timeout: @@ -15991,7 +18014,8 @@ paths: properties: engines: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor type: array succeeded: type: boolean @@ -16015,7 +18039,8 @@ paths: type: integer engines: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor type: array description: Successful response summary: List the Entity Engines @@ -16064,7 +18089,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor description: Successful response summary: Get an Entity Engine tags: @@ -16107,10 +18133,13 @@ paths: pattern: '[smdh]$' type: string indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern lookbackPeriod: default: 24h - description: The amount of time the transform looks back to calculate the aggregations. + description: >- + The amount of time the transform looks back to calculate the + aggregations. pattern: '[smdh]$' type: string timeout: @@ -16129,7 +18158,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor description: Successful response '400': description: Invalid request @@ -16194,7 +18224,8 @@ paths: properties: result: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult type: array success: type: boolean @@ -16211,7 +18242,8 @@ paths: type: array result: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult type: array success: type: boolean @@ -16282,7 +18314,8 @@ paths: type: object properties: inspect: - $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_InspectQuery page: minimum: 1 type: integer @@ -16292,7 +18325,8 @@ paths: type: integer records: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Entity type: array total: minimum: 0 @@ -16310,7 +18344,9 @@ paths: get: operationId: GetEntityStoreStatus parameters: - - description: If true returns a detailed status of the engine including all it's components + - description: >- + If true returns a detailed status of the engine including all it's + components in: query name: include_components schema: @@ -16325,16 +18361,19 @@ paths: engines: items: allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: object properties: components: items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus type: array type: array status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_StoreStatus required: - status - engines @@ -16363,7 +18402,8 @@ paths: name: namespace_type required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single responses: '200': @@ -16377,20 +18417,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -16427,7 +18471,8 @@ paths: name: namespace_type required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single responses: '200': @@ -16441,20 +18486,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -16472,10 +18521,19 @@ paths: tags: - Security Exceptions API post: - description: | - An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists. + description: > + An exception list groups exception items and can be associated with + detection rules. You can assign detection rules with multiple exception + lists. + > info - > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. operationId: CreateExceptionList requestBody: content: @@ -16484,25 +18542,34 @@ paths: type: object properties: description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags default: [] type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion default: 1 required: - name @@ -16522,20 +18589,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '409': content: @@ -16564,27 +18635,36 @@ paths: _version: type: string description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray default: [] tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion required: - name - description @@ -16603,20 +18683,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -16648,8 +18732,11 @@ paths: name: namespace_type required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - - description: Determines whether to include expired exceptions in the exported list + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list in: query name: include_expired_exceptions required: true @@ -16671,20 +18758,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '405': content: @@ -16722,8 +18813,11 @@ paths: name: namespace_type required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - - description: Determines whether to include expired exceptions in the exported list + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list in: query name: include_expired_exceptions required: true @@ -16738,7 +18832,9 @@ paths: content: application/ndjson: schema: - description: A `.ndjson` file containing specified exception list and its items + description: >- + A `.ndjson` file containing specified exception list and its + items format: binary type: string description: Successful response @@ -16747,20 +18843,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -16782,20 +18882,29 @@ paths: description: Get a list of all exception lists. operationId: FindExceptionLists parameters: - - description: | - Filters the returned results according to the value of the specified field. + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: - Uses the `so type.field name:field` value syntax, where `so type` can be: - `exception-list`: Specify a space-aware exception list. - - `exception-list-agnostic`: Specify an exception list that is shared across spaces. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. in: query name: filter required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' - - description: | - Determines whether the returned containers are Kibana associated with a Kibana space + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + or available in all spaces (`agnostic` or `single`) in: query name: namespace_type @@ -16804,7 +18913,8 @@ paths: default: - single items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType type: array - description: The page number to return in: query @@ -16844,7 +18954,8 @@ paths: properties: data: items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionList type: array page: minimum: 1 @@ -16866,20 +18977,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '500': content: @@ -16895,9 +19010,12 @@ paths: description: Import an exception list and its associated items from an NDJSON file. operationId: ImportExceptionList parameters: - - description: | - Determines whether existing exception lists with the same `list_id` are overwritten. - If any exception items have the same `item_id`, those are also overwritten. + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. in: query name: overwrite required: false @@ -16916,9 +19034,13 @@ paths: schema: default: false type: boolean - - description: | - Determines whether the list being imported will have a new `list_id` generated. - Additional `item_id`'s are generated for each exception item. Both the exception + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + list and its items are overwritten. in: query name: as_new_list @@ -16945,7 +19067,8 @@ paths: type: object properties: errors: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray success: type: boolean success_count: @@ -16975,20 +19098,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '500': content: @@ -17015,12 +19142,14 @@ paths: name: item_id required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - in: query name: namespace_type required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single responses: '200': @@ -17034,20 +19163,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -17065,7 +19198,9 @@ paths: tags: - Security Exceptions API get: - description: Get the details of an exception list item using the `id` or `item_id` field. + description: >- + Get the details of an exception list item using the `id` or `item_id` + field. operationId: ReadExceptionListItem parameters: - description: Either `id` or `item_id` must be specified @@ -17079,12 +19214,14 @@ paths: name: item_id required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - in: query name: namespace_type required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single responses: '200': @@ -17098,20 +19235,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -17129,9 +19270,12 @@ paths: tags: - Security Exceptions API post: - description: | - Create an exception item and associate it with the specified exception list. + description: > + Create an exception item and associate it with the specified exception + list. + > info + > Before creating exception items, you must create an exception list. operationId: CreateExceptionListItem requestBody: @@ -17141,34 +19285,45 @@ paths: type: object properties: comments: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray default: [] description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray expire_time: format: date-time type: string item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemName namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray default: [] tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags default: [] type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemType required: - list_id - type @@ -17189,20 +19344,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '409': content: @@ -17231,37 +19390,49 @@ paths: _version: type: string comments: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray default: [] description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray expire_time: format: date-time type: string id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemId description: Either `id` or `item_id` must be specified item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId description: Either `id` or `item_id` must be specified list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemName namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray default: [] tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemType required: - type - name @@ -17281,20 +19452,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -17322,10 +19497,13 @@ paths: required: true schema: items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId type: array - - description: | - Filters the returned results according to the value of the specified field, + - description: > + Filters the returned results according to the value of the specified + field, + using the `:` syntax. in: query name: filter @@ -17333,10 +19511,13 @@ paths: schema: default: [] items: - $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter' + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter type: array - - description: | - Determines whether the returned containers are Kibana associated with a Kibana space + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + or available in all spaces (`agnostic` or `single`) in: query name: namespace_type @@ -17345,7 +19526,8 @@ paths: default: - single items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType type: array - in: query name: search @@ -17390,7 +19572,8 @@ paths: properties: data: items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem type: array page: minimum: 1 @@ -17414,20 +19597,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -17465,7 +19652,8 @@ paths: name: namespace_type required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType default: single - description: Search filter clause in: query @@ -17498,20 +19686,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '404': content: @@ -17530,10 +19722,19 @@ paths: - Security Exceptions API /api/exceptions/shared: post: - description: | - An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. + description: > + An exception list groups exception items and can be associated with + detection rules. A shared exception list can apply to multiple detection + rules. + > info - > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. operationId: CreateSharedExceptionList requestBody: content: @@ -17542,9 +19743,11 @@ paths: type: object properties: description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName required: - name - description @@ -17561,20 +19764,24 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse description: Invalid input data response '401': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Unsuccessful authentication response '403': content: application/json: schema: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse description: Not enough privileges response '409': content: @@ -17629,7 +19836,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -17681,7 +19889,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -17749,7 +19958,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -17824,7 +20034,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -17855,9 +20066,12 @@ paths: tags: - Security Lists API put: - description: | - Update a list using the list ID. The original list is replaced, and all unspecified fields are deleted. + description: > + Update a list using the list ID. The original list is replaced, and all + unspecified fields are deleted. + > info + > You cannot modify the `id` value. operationId: UpdateList requestBody: @@ -17897,7 +20111,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -17929,7 +20144,9 @@ paths: - Security Lists API /api/lists/_find: get: - description: Get a paginated subset of lists. By default, the first page is returned, with 20 results per page. + description: >- + Get a paginated subset of lists. By default, the first page is returned, + with 20 results per page. operationId: FindLists parameters: - description: The page number to return @@ -17959,17 +20176,24 @@ paths: - desc - asc type: string - - description: | - Returns the list that come after the last list returned in the previous call - (use the cursor value returned in the previous call). This parameter uses - the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: | - Filters the returned results according to the value of the specified field, + - description: > + Filters the returned results according to the value of the specified + field, + using the : syntax. in: query name: filter @@ -18010,7 +20234,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18055,7 +20280,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18108,7 +20334,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18158,7 +20385,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18211,7 +20439,9 @@ paths: required: false schema: type: string - - description: Determines when changes made by the request are made visible to search + - description: >- + Determines when changes made by the request are made visible to + search in: query name: refresh required: false @@ -18238,7 +20468,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18306,7 +20537,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18352,7 +20584,9 @@ paths: meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: - description: Determines when changes made by the request are made visible to search + description: >- + Determines when changes made by the request are made visible + to search enum: - 'true' - 'false' @@ -18376,7 +20610,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18407,11 +20642,15 @@ paths: tags: - Security Lists API post: - description: | + description: > Create a list item and associate it with the specified list. - All list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. + + All list items in the same list must be the same type. For example, each + list item in an `ip` list must define a specific IP address. + > info + > Before creating a list item, you must create a list. operationId: CreateListItem requestBody: @@ -18427,7 +20666,9 @@ paths: meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: - description: Determines when changes made by the request are made visible to search + description: >- + Determines when changes made by the request are made visible + to search enum: - 'true' - 'false' @@ -18452,7 +20693,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18483,9 +20725,12 @@ paths: tags: - Security Lists API put: - description: | - Update a list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. + description: > + Update a list item using the list item ID. The original list item is + replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. operationId: UpdateListItem requestBody: @@ -18519,7 +20764,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18574,7 +20820,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18642,17 +20889,24 @@ paths: - desc - asc type: string - - description: | - Returns the list that come after the last list returned in the previous call - (use the cursor value returned in the previous call). This parameter uses - the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: | - Filters the returned results according to the value of the specified field, + - description: > + Filters the returned results according to the value of the specified + field, + using the : syntax. in: query name: filter @@ -18667,7 +20921,8 @@ paths: type: object properties: cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + $ref: >- + #/components/schemas/Security_Lists_API_FindListItemsCursor data: items: $ref: '#/components/schemas/Security_Lists_API_ListItem' @@ -18693,7 +20948,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18719,8 +20975,10 @@ paths: - Security Lists API /api/lists/items/_import: post: - description: | - Import list items from a TXT or CSV file. The maximum file size is 9 million bytes. + description: > + Import list items from a TXT or CSV file. The maximum file size is 9 + million bytes. + You can import items to a new or existing list. operationId: ImportListItems @@ -18734,10 +20992,12 @@ paths: required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | + - description: > Type of the importing list. - Required when importing a new list that is `list_id` is not specified. + + Required when importing a new list that is `list_id` is not + specified. in: query name: type required: false @@ -18753,7 +21013,9 @@ paths: required: false schema: type: string - - description: Determines when changes made by the request are made visible to search + - description: >- + Determines when changes made by the request are made visible to + search in: query name: refresh required: false @@ -18770,7 +21032,9 @@ paths: type: object properties: file: - description: A `.txt` or `.csv` file containing newline separated list items + description: >- + A `.txt` or `.csv` file containing newline separated list + items format: binary type: string required: true @@ -18786,7 +21050,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18842,7 +21107,8 @@ paths: application/json: schema: oneOf: - - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': @@ -18868,9 +21134,12 @@ paths: - Security Lists API /api/logstash/pipeline/{id}: delete: - description: | + description: > Delete a centrally-managed Logstash pipeline. - If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + + If your Elasticsearch cluster is protected with basic authentication, + you must have either the `logstash_admin` built-in role or a customized + Logstash writer role. externalDocs: description: Secure your connection url: https://www.elastic.co/guide/en/logstash/current/ls-security.html @@ -18890,9 +21159,11 @@ paths: - logstash x-state: Technical Preview get: - description: | + description: > Get information for a centrally-managed Logstash pipeline. - To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + + To use this API, you must have either the `logstash_admin` built-in role + or a customized Logstash reader role. externalDocs: description: Secure your connection url: https://www.elastic.co/guide/en/logstash/current/ls-security.html @@ -18928,16 +21199,19 @@ paths: - logstash x-state: Technical Preview put: - description: | + description: > Create a centrally-managed Logstash pipeline or update a pipeline. - To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + + To use this API, you must have either the `logstash_admin` built-in role + or a customized Logstash writer role. externalDocs: description: Secure your connection url: https://www.elastic.co/guide/en/logstash/current/ls-security.html operationId: put-logstash-pipeline parameters: - - description: | - An identifier for the pipeline. Only alphanumeric characters, hyphens, and underscores are supported. + - description: > + An identifier for the pipeline. Only alphanumeric characters, + hyphens, and underscores are supported. in: path name: id required: true @@ -18965,16 +21239,25 @@ paths: description: A definition for the pipeline. type: string settings: - description: | - Supported settings, represented as object keys, include the following: + description: > + Supported settings, represented as object keys, include the + following: + - `pipeline.workers` + - `pipeline.batch.size` + - `pipeline.batch.delay` + - `pipeline.ecs_compatibility` + - `pipeline.ordered` + - `queue.type` + - `queue.max_bytes` + - `queue.checkpoint.writes` type: object required: @@ -18988,14 +21271,22 @@ paths: x-state: Technical Preview /api/logstash/pipelines: get: - description: | + description: > Get a list of all centrally-managed Logstash pipelines. - To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + + To use this API, you must have either the `logstash_admin` built-in role + or a customized Logstash reader role. + > info - > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. - The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. + > Limit the number of pipelines to 10,000 or fewer. As the number of + pipelines nears and surpasses 10,000, you may see performance issues on + Kibana. + + + The `username` property appears in the response when security is enabled + and depends on when the pipeline was created or last updated. externalDocs: description: Secure your connection url: https://www.elastic.co/guide/en/logstash/current/ls-security.html @@ -19031,8 +21322,12 @@ paths: x-state: Technical Preview /api/ml/saved_objects/sync: get: - description: | - Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models in the default space. You must have `all` privileges for the + **Machine Learning** feature in the **Analytics** section of the Kibana + feature privileges. This API runs automatically when you start Kibana + and periodically thereafter. operationId: mlSync parameters: - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' @@ -19096,6 +21391,7 @@ paths: summary: Delete a note tags: - Security Timeline API + - access:securitySolution get: description: Get all notes for a given document. operationId: GetNotes @@ -19159,6 +21455,7 @@ paths: summary: Get notes tags: - Security Timeline API + - access:securitySolution patch: description: Add a note to a Timeline or update an existing note. operationId: PersistNoteRoute @@ -19196,7 +21493,8 @@ paths: type: object properties: persistNote: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + $ref: >- + #/components/schemas/Security_Timeline_API_ResponseNote required: - persistNote required: @@ -19205,6 +21503,7 @@ paths: summary: Add or update a note tags: - Security Timeline API + - access:securitySolution /api/osquery/live_queries: get: description: Get a list of all live queries. @@ -19240,7 +21539,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_FindLiveQueryResponse description: OK summary: Get live queries tags: @@ -19252,14 +21552,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' + $ref: >- + #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse description: OK summary: Create a live query tags: @@ -19281,7 +21583,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse description: OK summary: Get live query details tags: @@ -19335,7 +21638,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse description: OK summary: Get live query results tags: @@ -19493,7 +21797,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_FindSavedQueryResponse description: OK summary: Get saved queries tags: @@ -19505,14 +21810,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' + $ref: >- + #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse description: OK summary: Create a saved query tags: @@ -19532,7 +21839,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse description: OK summary: Delete a saved query tags: @@ -19551,7 +21859,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse description: OK summary: Get saved query details tags: @@ -19572,14 +21881,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' + $ref: >- + #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' + $ref: >- + #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse description: OK summary: Update a saved query tags: @@ -19604,7 +21915,9 @@ paths: nullable: true type: string timelineId: - description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. + description: >- + The `savedObjectId` of the timeline that you want this + pinned event unpinned from. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: @@ -19623,18 +21936,24 @@ paths: type: object properties: persistPinnedEventOnTimeline: - $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' + $ref: >- + #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse required: - persistPinnedEventOnTimeline required: - data - description: Indicates the event was successfully pinned to or unpinned from the Timeline. + description: >- + Indicates the event was successfully pinned to or unpinned from the + Timeline. summary: Pin/unpin an event tags: - Security Timeline API + - access:securitySolution /api/risk_score/engine/dangerously_delete_data: delete: - description: Cleaning up the the Risk Engine by removing the indices, mapping and transforms + description: >- + Cleaning up the the Risk Engine by removing the indices, mapping and + transforms operationId: CleanUpRiskEngine responses: '200': @@ -19650,13 +21969,15 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse description: Task manager is unavailable default: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse description: Unexpected error summary: Cleanup the Risk Engine tags: @@ -19701,20 +22022,25 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse description: Task manager is unavailable default: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse description: Unexpected error summary: Configure the Risk Engine Saved Object tags: - Security Entity Analytics API /api/risk_score/engine/schedule_now: post: - description: Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. + description: >- + Schedule the risk scoring engine to run as soon as possible. You can use + this to recalculate entity risk scores after updating their asset + criticality. operationId: ScheduleRiskEngineNow requestBody: content: @@ -19724,19 +22050,22 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse description: Successful response '400': content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse description: Task manager is unavailable default: content: application/json: schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse description: Unexpected error summary: Run the risk scoring engine tags: @@ -19784,8 +22113,19 @@ paths: operationId: bulkDeleteSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: | - When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation. + - description: > + When true, force delete objects that exist in multiple namespaces. + Note that the option applies to the whole request. Use the delete + object API to specify per-object deletion behavior. TIP: Use this if + you attempted to delete objects and received an HTTP 400 error with + the following message: "Unable to delete saved object that exists in + multiple namespaces, use the force option to delete it anyway". + WARNING: When you bulk delete objects that exist in multiple + namespaces, the API also deletes legacy url aliases that reference + the object. These requests are batched to minimise the impact but + they can place a heavy load on Kibana. Make sure you limit the + number of objects that exist in multiple namespaces in a single bulk + delete operation. in: query name: force schema: @@ -19804,8 +22144,10 @@ paths: application/json: schema: type: object - description: | - Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. '400': content: application/json: @@ -19848,8 +22190,14 @@ paths: /api/saved_objects/_bulk_resolve: post: deprecated: true - description: | - Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID. + description: > + Retrieve multiple Kibana saved objects by identifier using any legacy + URL aliases if they exist. Under certain circumstances when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved by the bulk resolve API + using either its new ID or its old ID. operationId: bulkResolveSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' @@ -19867,8 +22215,10 @@ paths: application/json: schema: type: object - description: | - Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. '400': content: application/json: @@ -19899,8 +22249,10 @@ paths: application/json: schema: type: object - description: | - Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. '400': content: application/json: @@ -19912,13 +22264,18 @@ paths: - saved objects /api/saved_objects/_export: post: - description: | + description: > Retrieve sets of saved objects that you want to import into Kibana. + You must include `type` or `objects` in the request body. - Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. - NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. + Exported saved objects are not backwards compatible and cannot be + imported into an older version of Kibana. + + + NOTE: The `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be exported. operationId: exportSavedObjectsDefault parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' @@ -19936,7 +22293,9 @@ paths: description: Do not add export details entry at the end of the stream. type: boolean includeReferencesDeep: - description: Includes all of the referenced objects in the exported objects. + description: >- + Includes all of the referenced objects in the exported + objects. type: boolean objects: description: A list of objects to export. @@ -19944,7 +22303,9 @@ paths: type: object type: array type: - description: The saved object types to include in the export. Use `*` to export all the types. + description: >- + The saved object types to include in the export. Use `*` to + export all the types. oneOf: - type: string - items: @@ -19977,8 +22338,15 @@ paths: description: Retrieve a paginated set of Kibana saved objects. operationId: findSavedObjects parameters: - - description: | - An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the `savedObjectType.attributes.title: "myTitle"` format must be used. For root fields, the syntax is `savedObjectType.rootField`. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. + - description: > + An aggregation structure, serialized as a string. The field format + is similar to filter, meaning that to use a saved object type + attribute in the aggregation, the `savedObjectType.attributes.title: + "myTitle"` format must be used. For root fields, the syntax is + `savedObjectType.rootField`. NOTE: As objects change in Kibana, the + results on each page of the response also change. Use the find API + for traditional paginated results, but avoid using it to export + large amounts of data. in: query name: aggs schema: @@ -19995,28 +22363,41 @@ paths: oneOf: - type: string - type: array - - description: | - The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: `savedObjectType.attributes.title: "myTitle"`. However, if you use a root attribute of a saved object such as `updated_at`, you will have to define your filter like that: `savedObjectType.updated_at > 2018-12-22`. + - description: > + The filter is a KQL string with the caveat that if you filter with + an attribute from your saved object type, it should look like that: + `savedObjectType.attributes.title: "myTitle"`. However, if you use a + root attribute of a saved object such as `updated_at`, you will have + to define your filter like that: `savedObjectType.updated_at > + 2018-12-22`. in: query name: filter schema: type: string - - description: Filters to objects that do not have a relationship with the type and identifier combination. + - description: >- + Filters to objects that do not have a relationship with the type and + identifier combination. in: query name: has_no_reference schema: type: object - - description: The operator to use for the `has_no_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. + - description: >- + The operator to use for the `has_no_reference` parameter. Either + `OR` or `AND`. Defaults to `OR`. in: query name: has_no_reference_operator schema: type: string - - description: Filters to objects that have a relationship with the type and ID combination. + - description: >- + Filters to objects that have a relationship with the type and ID + combination. in: query name: has_reference schema: type: object - - description: The operator to use for the `has_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. + - description: >- + The operator to use for the `has_reference` parameter. Either `OR` + or `AND`. Defaults to `OR`. in: query name: has_reference_operator schema: @@ -20031,20 +22412,30 @@ paths: name: per_page schema: type: integer - - description: An Elasticsearch `simple_query_string` query that filters the objects in the response. + - description: >- + An Elasticsearch `simple_query_string` query that filters the + objects in the response. in: query name: search schema: type: string - - description: The fields to perform the `simple_query_string` parsed query against. + - description: >- + The fields to perform the `simple_query_string` parsed query + against. in: query name: search_fields schema: oneOf: - type: string - type: array - - description: | - Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed. + - description: > + Sorts the response. Includes "root" and "type" fields. "root" fields + exist for all saved objects, such as "updated_at". "type" fields are + specific to an object type, such as fields returned in the + attributes key of the response. When a single type is defined in the + type parameter, the "root" and "type" fields are allowed, and + validity checks are made in that order. When multiple types are + defined in the type parameter, only "root" fields are allowed. in: query name: sort_field schema: @@ -20075,28 +22466,43 @@ paths: - saved objects /api/saved_objects/_import: post: - description: | - Create sets of Kibana saved objects from a file created by the export API. - Saved objects can be imported only into the same version, a newer minor on the same major, or the next major. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + description: > + Create sets of Kibana saved objects from a file created by the export + API. + + Saved objects can be imported only into the same version, a newer minor + on the same major, or the next major. Exported saved objects are not + backwards compatible and cannot be imported into an older version of + Kibana. operationId: importSavedObjectsDefault parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: | - Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options. + - description: > + Creates copies of saved objects, regenerates each object ID, and + resets the origin. When used, potential conflict errors are avoided. + NOTE: This option cannot be used with the `overwrite` and + `compatibilityMode` options. in: query name: createNewCopies required: false schema: type: boolean - - description: | - Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option. + - description: > + Overwrites saved objects when they already exist. When used, + potential conflict errors are automatically resolved by overwriting + the destination object. NOTE: This option cannot be used with the + `createNewCopies` option. in: query name: overwrite required: false schema: type: boolean - - description: | - Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option. + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. Use this option only if you encounter issues with imported + saved objects. NOTE: This option cannot be used with the + `createNewCopies` option. in: query name: compatibilityMode required: false @@ -20112,8 +22518,15 @@ paths: type: object properties: file: - description: | - A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported. + description: > + A file exported using the export API. Changing the contents + of the exported file in any way before importing it can + cause errors, crashes or data loss. NOTE: The + `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be included in + this file. Similarly, the + `savedObjects.maxImportPayloadBytes` setting limits the + overall size of the file that can be imported. required: true responses: '200': @@ -20126,25 +22539,38 @@ paths: type: object properties: errors: - description: | - Indicates the import was unsuccessful and specifies the objects that failed to import. + description: > + Indicates the import was unsuccessful and specifies the + objects that failed to import. + - NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. + NOTE: One object may result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and conflict error. items: type: object type: array success: - description: | - Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + description: > + Indicates when the import was successfully completed. When + set to false, some objects may not have been created. For + additional information, refer to the `errors` and + `successResults` properties. type: boolean successCount: description: Indicates the number of successfully imported records. type: integer successResults: - description: | - Indicates the objects that are successfully imported, with any metadata if applicable. + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + - NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. + NOTE: Objects are created only when all resolvable errors + are addressed, including conflicts and missing references. + If objects are created as new copies, each entry in the + `successResults` array includes a `destinationId` + attribute. items: type: object type: array @@ -20177,15 +22603,21 @@ paths: operationId: resolveImportErrors parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: | - Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the `createNewCopies` option. + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. When enabled during the initial import, also enable when + resolving import errors. This option cannot be used with the + `createNewCopies` option. in: query name: compatibilityMode required: false schema: type: boolean - - description: | - Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors. + - description: > + Creates copies of the saved objects, regenerates each object ID, and + resets the origin. When enabled during the initial import, also + enable when resolving import errors. in: query name: createNewCopies required: false @@ -20196,7 +22628,8 @@ paths: multipart/form-data: examples: resolveImportErrorsRequest: - $ref: '#/components/examples/Saved_objects_resolve_missing_reference_request' + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_request schema: type: object properties: @@ -20205,24 +22638,35 @@ paths: format: binary type: string retries: - description: The retry operations, which can specify how to resolve different types of errors. + description: >- + The retry operations, which can specify how to resolve + different types of errors. items: type: object properties: destinationId: - description: Specifies the destination ID that the imported object should have, if different from the current ID. + description: >- + Specifies the destination ID that the imported object + should have, if different from the current ID. type: string id: description: The saved object ID. type: string ignoreMissingReferences: - description: When set to `true`, ignores missing reference errors. When set to `false`, does nothing. + description: >- + When set to `true`, ignores missing reference errors. + When set to `false`, does nothing. type: boolean overwrite: - description: When set to `true`, the source object overwrites the conflicting destination object. When set to `false`, does nothing. + description: >- + When set to `true`, the source object overwrites the + conflicting destination object. When set to `false`, + does nothing. type: boolean replaceReferences: - description: A list of `type`, `from`, and `to` used to change the object references. + description: >- + A list of `type`, `from`, and `to` used to change the + object references. items: type: object properties: @@ -20249,31 +22693,41 @@ paths: application/json: examples: resolveImportErrorsResponse: - $ref: '#/components/examples/Saved_objects_resolve_missing_reference_response' + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_response schema: type: object properties: errors: - description: | + description: > Specifies the objects that failed to resolve. - NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and a `conflict` error. + + NOTE: One object can result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and a `conflict` error. items: type: object type: array success: - description: | - Indicates a successful import. When set to `false`, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + description: > + Indicates a successful import. When set to `false`, some + objects may not have been created. For additional + information, refer to the `errors` and `successResults` + properties. type: boolean successCount: description: | Indicates the number of successfully resolved records. type: number successResults: - description: | - Indicates the objects that are successfully imported, with any metadata if applicable. + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. - NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references. + + NOTE: Objects are only created when all resolvable errors + are addressed, including conflict and missing references. items: type: object type: array @@ -20357,7 +22811,9 @@ paths: - saved objects post: deprecated: true - description: Create a Kibana saved object and specify its identifier instead of using a randomly generated ID. + description: >- + Create a Kibana saved object and specify its identifier instead of using + a randomly generated ID. operationId: createSavedObjectId parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' @@ -20438,8 +22894,14 @@ paths: /api/saved_objects/resolve/{type}/{id}: get: deprecated: true - description: | - Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID. + description: > + Retrieve a single Kibana saved object by identifier using any legacy URL + alias if it exists. Under certain circumstances, when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved using either its new ID or + its old ID. operationId: resolveSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_saved_object_id' @@ -20462,7 +22924,10 @@ paths: - saved objects /api/security_ai_assistant/anonymization_fields/_bulk_action: post: - description: Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. + description: >- + Apply a bulk action to multiple anonymization fields. The bulk action is + applied to all anonymization fields that match the filter or to the list + of anonymization fields by their IDs. operationId: PerformAnonymizationFieldsBulkAction requestBody: content: @@ -20493,10 +22958,13 @@ paths: create: description: Array of anonymization fields to create. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps type: array delete: - description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. + description: >- + Object containing the query to filter anonymization fields + and/or an array of anonymization field IDs to delete. type: object properties: ids: @@ -20515,7 +22983,8 @@ paths: update: description: Array of anonymization fields to update. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps type: array responses: '200': @@ -20562,7 +23031,8 @@ paths: status_code: 200 success: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse description: Indicates a successful call. '400': content: @@ -20587,6 +23057,7 @@ paths: summary: Apply a bulk action to anonymization fields tags: - Security AI Assistant API + - Bulk API /api/security_ai_assistant/anonymization_fields/_find: get: description: Get a list of all anonymization fields. @@ -20618,7 +23089,8 @@ paths: name: sort_field required: false schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - description: Sort order example: asc in: query @@ -20668,7 +23140,8 @@ paths: properties: data: items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse type: array page: type: integer @@ -20702,6 +23175,7 @@ paths: summary: Get anonymization fields tags: - Security AI Assistant API + - AnonymizationFields API /api/security_ai_assistant/chat/complete: post: description: Create a model response for the given chat conversation. @@ -20769,9 +23243,13 @@ paths: summary: Create a model response tags: - Security AI Assistant API + - Chat Complete API /api/security_ai_assistant/current_user/conversations: post: - description: Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. + description: >- + Create a new Security AI Assistant conversation. This endpoint allows + the user to initiate a conversation with the Security AI Assistant by + providing the required parameters. operationId: CreateConversation requestBody: content: @@ -20789,7 +23267,8 @@ paths: replacements: {} title: Security Discussion schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps required: true responses: '200': @@ -20814,8 +23293,11 @@ paths: - id: user1 name: John Doe schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was created successfully. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was created + successfully. '400': content: application/json: @@ -20831,16 +23313,24 @@ paths: statusCode: example: 400 type: number - description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. + description: >- + Generic Error. This response indicates an issue with the request, + such as missing required parameters or incorrect data. summary: Create a conversation tags: - Security AI Assistant API + - Conversation API /api/security_ai_assistant/current_user/conversations/_find: get: - description: Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. + description: >- + Get a list of all conversations for the current user. This endpoint + allows users to search, filter, sort, and paginate through their + conversations. operationId: FindConversations parameters: - - description: A list of fields to include in the response. If omitted, all fields are returned. + - description: >- + A list of fields to include in the response. If omitted, all fields + are returned. in: query name: fields required: false @@ -20852,21 +23342,28 @@ paths: items: type: string type: array - - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. + - description: >- + A search query to filter the conversations. Can match against + titles, messages, or other conversation attributes. in: query name: filter required: false schema: example: Security Issue type: string - - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. + - description: >- + The field by which to sort the results. Valid fields are + `created_at`, `title`, and `updated_at`. in: query name: sort_field required: false schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField example: created_at - - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. + - description: >- + The order in which to sort the results. Can be either `asc` for + ascending or `desc` for descending. in: query name: sort_order required: false @@ -20901,7 +23398,8 @@ paths: data: description: A list of conversations. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse type: array page: description: The current page of the results. @@ -20912,7 +23410,9 @@ paths: example: 20 type: integer total: - description: The total number of conversations matching the filter criteria. + description: >- + The total number of conversations matching the filter + criteria. example: 100 type: integer required: @@ -20920,7 +23420,9 @@ paths: - perPage - total - data - description: Successful response, returns a paginated list of conversations matching the specified criteria. + description: >- + Successful response, returns a paginated list of conversations + matching the specified criteria. '400': content: application/json: @@ -20936,13 +23438,18 @@ paths: statusCode: example: 400 type: number - description: Generic Error. The request could not be processed due to an invalid query parameter or other issue. + description: >- + Generic Error. The request could not be processed due to an invalid + query parameter or other issue. summary: Get conversations tags: - Security AI Assistant API + - Conversations API /api/security_ai_assistant/current_user/conversations/{id}: delete: - description: Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. + description: >- + Delete an existing conversation using the conversation ID. This endpoint + allows users to permanently delete a conversation. operationId: DeleteConversation parameters: - description: The conversation's `id` value. @@ -20975,8 +23482,11 @@ paths: - id: user1 name: John Doe schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was deleted successfully. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was deleted + successfully. '400': content: application/json: @@ -20996,11 +23506,17 @@ paths: summary: Delete a conversation tags: - Security AI Assistant API + - Conversation API get: - description: Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. + description: >- + Get the details of an existing conversation using the conversation ID. + This allows users to fetch the specific conversation data by its unique + ID. operationId: ReadConversation parameters: - - description: The conversation's `id` value, a unique identifier for the conversation. + - description: >- + The conversation's `id` value, a unique identifier for the + conversation. example: abc123 in: path name: id @@ -21030,7 +23546,8 @@ paths: - id: user1 name: John Doe schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse description: Indicates a successful call. The conversation details are returned. '400': content: @@ -21051,8 +23568,11 @@ paths: summary: Get a conversation tags: - Security AI Assistant API + - Conversations API put: - description: Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. + description: >- + Update an existing conversation using the conversation ID. This endpoint + allows users to modify the details of an existing conversation. operationId: UpdateConversation parameters: - description: The conversation's `id` value. @@ -21078,7 +23598,8 @@ paths: replacements: {} title: Updated Security Discussion schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps required: true responses: '200': @@ -21103,8 +23624,11 @@ paths: - id: user1 name: John Doe schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' - description: Indicates a successful call. The conversation was updated successfully. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: >- + Indicates a successful call. The conversation was updated + successfully. '400': content: application/json: @@ -21120,10 +23644,13 @@ paths: statusCode: example: 400 type: number - description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. + description: >- + Generic Error. This response indicates an issue with the request, + such as missing required parameters or incorrect data. summary: Update a conversation tags: - Security AI Assistant API + - Conversation API /api/security_ai_assistant/knowledge_base/{resource}: get: description: Read a single KB @@ -21147,7 +23674,9 @@ paths: example: true type: boolean is_setup_available: - description: Indicates if the setup process is available for the KnowledgeBase. + description: >- + Indicates if the setup process is available for the + KnowledgeBase. example: true type: boolean is_setup_in_progress: @@ -21155,11 +23684,15 @@ paths: example: false type: boolean product_documentation_status: - description: The status of the product documentation in the KnowledgeBase. + description: >- + The status of the product documentation in the + KnowledgeBase. example: complete type: string security_labs_exists: - description: Indicates if Security Labs documentation exists in the KnowledgeBase. + description: >- + Indicates if Security Labs documentation exists in the + KnowledgeBase. example: true type: boolean user_data_exists: @@ -21189,6 +23722,7 @@ paths: summary: Read a KnowledgeBase tags: - Security AI Assistant API + - KnowledgeBase API post: description: Create a KnowledgeBase operationId: CreateKnowledgeBase @@ -21199,14 +23733,18 @@ paths: name: resource schema: type: string - - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + - description: >- + ELSER modelId to use when setting up the Knowledge Base. If not + provided, a default model will be used. example: elser-model-001 in: query name: modelId required: false schema: type: string - - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + - description: >- + Indicates whether we should or should not install Security Labs docs + when setting up the Knowledge Base. Defaults to `false`. example: true in: query name: ignoreSecurityLabs @@ -21219,7 +23757,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse description: Indicates a successful call. '400': content: @@ -21243,6 +23782,7 @@ paths: summary: Create a KnowledgeBase tags: - Security AI Assistant API + - KnowledgeBase API /api/security_ai_assistant/knowledge_base/entries: post: description: Create a Knowledge Base Entry @@ -21251,21 +23791,26 @@ paths: content: application/json: example: - content: To reset your password, go to the settings page and click 'Reset Password'. + content: >- + To reset your password, go to the settings page and click 'Reset + Password'. tags: - password - reset - help title: How to reset a password schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps required: true responses: '200': content: application/json: example: - content: To reset your password, go to the settings page and click 'Reset Password'. + content: >- + To reset your password, go to the settings page and click + 'Reset Password'. id: '12345' tags: - password @@ -21273,7 +23818,8 @@ paths: - help title: How to reset a password schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse description: Successful request returning Knowledge Base Entries '400': content: @@ -21282,14 +23828,20 @@ paths: error: Invalid input message: The 'title' field is required. schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as invalid input or missing required fields. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as invalid input or missing required + fields. summary: Create a Knowledge Base Entry tags: - Security AI Assistant API + - Knowledge Base Entries API /api/security_ai_assistant/knowledge_base/entries/_bulk_action: post: - description: The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. + description: >- + The bulk action is applied to all Knowledge Base Entries that match the + filter or to the list of Knowledge Base Entries by their IDs. operationId: PerformKnowledgeBaseEntryBulkAction requestBody: content: @@ -21303,7 +23855,8 @@ paths: - content: This is the content of the new entry. title: New Entry items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps type: array delete: type: object @@ -21329,30 +23882,36 @@ paths: id: '123' title: Updated Entry items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps type: array responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse description: Successful bulk operation request '400': content: application/json: schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema description: Generic Error summary: Applies a bulk action to multiple Knowledge Base Entries tags: - Security AI Assistant API + - Knowledge Base Entries Bulk API /api/security_ai_assistant/knowledge_base/entries/_find: get: description: Finds Knowledge Base Entries that match the given query. operationId: FindKnowledgeBaseEntries parameters: - - description: A list of fields to include in the response. If not provided, all fields will be included. + - description: >- + A list of fields to include in the response. If not provided, all + fields will be included. in: query name: fields required: false @@ -21375,7 +23934,8 @@ paths: name: sort_field required: false schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField example: created_at - description: Sort order for the results, either asc or desc. in: query @@ -21412,7 +23972,8 @@ paths: data: description: The list of Knowledge Base Entries for the current page. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse type: array page: description: The current page number. @@ -21454,6 +24015,7 @@ paths: summary: Finds Knowledge Base Entries that match the given query. tags: - Security AI Assistant API + - Knowledge Base Entries API /api/security_ai_assistant/knowledge_base/entries/{id}: delete: description: Delete a Knowledge Base Entry by its unique `id`. @@ -21474,8 +24036,11 @@ paths: id: '12345' message: Knowledge Base Entry successfully deleted. schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' - description: Successful request returning the `id` of the deleted Knowledge Base Entry. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields + description: >- + Successful request returning the `id` of the deleted Knowledge Base + Entry. '400': content: application/json: @@ -21483,16 +24048,22 @@ paths: error: Not Found message: No Knowledge Base Entry found with the provided `id`. schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as an invalid `id` or the entry not being found. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as an invalid `id` or the entry not + being found. summary: Deletes a single Knowledge Base Entry using the `id` field tags: - Security AI Assistant API + - Knowledge Base Entries API get: description: Retrieve a Knowledge Base Entry by its unique `id`. operationId: ReadKnowledgeBaseEntry parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. + - description: >- + The unique identifier (`id`) of the Knowledge Base Entry to + retrieve. example: '12345' in: path name: id @@ -21504,7 +24075,9 @@ paths: content: application/json: example: - content: To reset your password, go to the settings page and click 'Reset Password'. + content: >- + To reset your password, go to the settings page and click + 'Reset Password'. id: '12345' tags: - password @@ -21512,7 +24085,8 @@ paths: - help title: How to reset a password schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse description: Successful request returning the requested Knowledge Base Entry. '400': content: @@ -21521,11 +24095,15 @@ paths: error: Not Found message: No Knowledge Base Entry found with the provided `id`. schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as an invalid `id` or the entry not being found. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as an invalid `id` or the entry not + being found. summary: Read a Knowledge Base Entry tags: - Security AI Assistant API + - Knowledge Base Entries API put: description: Update an existing Knowledge Base Entry by its unique `id`. operationId: UpdateKnowledgeBaseEntry @@ -21541,7 +24119,9 @@ paths: content: application/json: example: - content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. + content: >- + To reset your password, go to the settings page, click 'Reset + Password', and follow the instructions. tags: - password - reset @@ -21549,14 +24129,17 @@ paths: - update title: How to reset a password (updated) schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps required: true responses: '200': content: application/json: example: - content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. + content: >- + To reset your password, go to the settings page, click 'Reset + Password', and follow the instructions. id: '12345' tags: - password @@ -21565,7 +24148,8 @@ paths: - update title: How to reset a password (updated) schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse description: Successful request returning the updated Knowledge Base Entry. '400': content: @@ -21574,14 +24158,21 @@ paths: error: Invalid input message: The 'content' field cannot be empty. schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' - description: A generic error occurred, such as invalid input or the entry not being found. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema + description: >- + A generic error occurred, such as invalid input or the entry not + being found. summary: Update a Knowledge Base Entry tags: - Security AI Assistant API + - Knowledge Base Entries API /api/security_ai_assistant/prompts/_bulk_action: post: - description: Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. + description: >- + Apply a bulk action to multiple prompts. The bulk action is applied to + all prompts that match the filter or to the list of prompts by their + IDs. This action allows for bulk create, update, or delete operations. operationId: PerformPromptsBulkAction requestBody: content: @@ -21604,7 +24195,8 @@ paths: create: description: List of prompts to be created. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps type: array delete: description: Criteria for deleting prompts in bulk. @@ -21626,7 +24218,8 @@ paths: update: description: List of prompts to be updated. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps type: array responses: '200': @@ -21665,7 +24258,8 @@ paths: status_code: 200 success: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse description: Indicates a successful call with the results of the bulk action. '400': content: @@ -21689,9 +24283,12 @@ paths: summary: Apply a bulk action to prompts tags: - Security AI Assistant API + - Bulk API /api/security_ai_assistant/prompts/_find: get: - description: Get a list of all prompts based on optional filters, sorting, and pagination. + description: >- + Get a list of all prompts based on optional filters, sorting, and + pagination. operationId: FindPrompts parameters: - description: List of specific fields to include in each returned prompt. @@ -21718,7 +24315,8 @@ paths: name: sort_field required: false schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - description: Sort order, either asc or desc. in: query name: sort_order @@ -21776,9 +24374,12 @@ paths: type: object properties: data: - description: The list of prompts returned based on the search query, sorting, and pagination. + description: >- + The list of prompts returned based on the search query, + sorting, and pagination. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse type: array page: description: Current page number. @@ -21820,11 +24421,15 @@ paths: summary: Get prompts tags: - Security AI Assistant API + - Prompts API /api/security/role: get: operationId: get-security-role parameters: - - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + - description: >- + If `true` and the response contains any privileges that are + associated with deprecated features, they are omitted in favor of + details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false @@ -21833,11 +24438,6 @@ paths: responses: '200': description: Indicates a successful call. - content: - application/json: - examples: - getRolesResponse1: - $ref: '#/components/examples/get_roles_response1' summary: Get all roles tags: - roles @@ -21923,7 +24523,10 @@ paths: schema: minLength: 1 type: string - - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + - description: >- + If `true` and the response contains any privileges that are + associated with deprecated features, they are omitted in favor of + details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false @@ -21932,16 +24535,13 @@ paths: responses: '200': description: Indicates a successful call. - content: - application/json: - examples: - getRoleResponse1: - $ref: '#/components/examples/get_role_response1' summary: Get a role tags: - roles put: - description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. + description: >- + Create a new Kibana role or update the attributes of an existing role. + Kibana roles are stored in the Elasticsearch native realm. operationId: put-security-role-name parameters: - description: A required header to protect against CSRF attacks @@ -21983,7 +24583,9 @@ paths: properties: cluster: items: - description: Cluster privileges that define the cluster level actions that users can perform. + description: >- + Cluster privileges that define the cluster level + actions that users can perform. type: string type: array indices: @@ -21992,29 +24594,55 @@ paths: type: object properties: allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + description: >- + Restricted indices are a special category of + indices that are used internally to store + configuration data and should not be directly + accessed. Only internal system roles should + normally grant privileges over the restricted + indices. Toggling this flag is very strongly + discouraged because it could effectively grant + unrestricted operations on critical data, making + the entire system unstable or leaking sensitive + information. If for administrative purposes you + need to create a role with privileges covering + restricted indices, however, you can set this + property to true. In that case, the names field + covers the restricted indices too. type: boolean field_security: additionalProperties: items: - description: The document fields that the role members have read access to. + description: >- + The document fields that the role members have + read access to. type: string type: array type: object names: items: - description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + description: >- + The data streams, indices, and aliases to which + the permissions in this entry apply. It supports + wildcards (*). type: string minItems: 1 type: array privileges: items: - description: The index level privileges that the role members have for the data streams and indices. + description: >- + The index level privileges that the role members + have for the data streams and indices. type: string minItems: 1 type: array query: - description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + description: >- + A search query that defines the documents the role + members have read access to. A document within the + specified data streams and indices must match this + query in order for it to be accessible by the role + members. type: string required: - names @@ -22027,13 +24655,19 @@ paths: properties: clusters: items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + description: >- + A list of remote cluster aliases. It supports + literal strings as well as wildcards and regular + expressions. type: string minItems: 1 type: array privileges: items: - description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + description: >- + The cluster level privileges for the remote + cluster. The allowed values are a subset of the + cluster privileges. type: string minItems: 1 type: array @@ -22047,35 +24681,64 @@ paths: type: object properties: allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + description: >- + Restricted indices are a special category of + indices that are used internally to store + configuration data and should not be directly + accessed. Only internal system roles should + normally grant privileges over the restricted + indices. Toggling this flag is very strongly + discouraged because it could effectively grant + unrestricted operations on critical data, making + the entire system unstable or leaking sensitive + information. If for administrative purposes you + need to create a role with privileges covering + restricted indices, however, you can set this + property to true. In that case, the names field + will cover the restricted indices too. type: boolean clusters: items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + description: >- + A list of remote cluster aliases. It supports + literal strings as well as wildcards and regular + expressions. type: string minItems: 1 type: array field_security: additionalProperties: items: - description: The document fields that the role members have read access to. + description: >- + The document fields that the role members have + read access to. type: string type: array type: object names: items: - description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + description: >- + A list of remote aliases, data streams, or + indices to which the permissions apply. It + supports wildcards (*). type: string minItems: 1 type: array privileges: items: - description: The index level privileges that role members have for the specified indices. + description: >- + The index level privileges that role members + have for the specified indices. type: string minItems: 1 type: array query: - description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + description: >- + A search query that defines the documents the role + members have read access to. A document within the + specified data streams and indices must match this + query in order for it to be accessible by the role + members. type: string required: - clusters @@ -22103,17 +24766,23 @@ paths: nullable: true oneOf: - items: - description: A base privilege that grants applies to all spaces. + description: >- + A base privilege that grants applies to all + spaces. type: string type: array - items: - description: A base privilege that applies to specific spaces. + description: >- + A base privilege that applies to specific + spaces. type: string type: array feature: additionalProperties: items: - description: The privileges that the role member has for the feature. + description: >- + The privileges that the role member has for the + feature. type: string type: array type: object @@ -22140,15 +24809,6 @@ paths: type: object required: - elasticsearch - examples: - createRoleRequest1: - $ref: '#/components/examples/create_role_request1' - createRoleRequest2: - $ref: '#/components/examples/create_role_request2' - createRoleRequest3: - $ref: '#/components/examples/create_role_request3' - createRoleRequest4: - $ref: '#/components/examples/create_role_request4' responses: '204': description: Indicates a successful call. @@ -22188,7 +24848,9 @@ paths: properties: cluster: items: - description: Cluster privileges that define the cluster level actions that users can perform. + description: >- + Cluster privileges that define the cluster level + actions that users can perform. type: string type: array indices: @@ -22197,29 +24859,58 @@ paths: type: object properties: allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + description: >- + Restricted indices are a special category of + indices that are used internally to store + configuration data and should not be + directly accessed. Only internal system + roles should normally grant privileges over + the restricted indices. Toggling this flag + is very strongly discouraged because it + could effectively grant unrestricted + operations on critical data, making the + entire system unstable or leaking sensitive + information. If for administrative purposes + you need to create a role with privileges + covering restricted indices, however, you + can set this property to true. In that case, + the names field covers the restricted + indices too. type: boolean field_security: additionalProperties: items: - description: The document fields that the role members have read access to. + description: >- + The document fields that the role + members have read access to. type: string type: array type: object names: items: - description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + description: >- + The data streams, indices, and aliases to + which the permissions in this entry apply. + It supports wildcards (*). type: string minItems: 1 type: array privileges: items: - description: The index level privileges that the role members have for the data streams and indices. + description: >- + The index level privileges that the role + members have for the data streams and + indices. type: string minItems: 1 type: array query: - description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + description: >- + A search query that defines the documents + the role members have read access to. A + document within the specified data streams + and indices must match this query in order + for it to be accessible by the role members. type: string required: - names @@ -22232,13 +24923,19 @@ paths: properties: clusters: items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + description: >- + A list of remote cluster aliases. It + supports literal strings as well as + wildcards and regular expressions. type: string minItems: 1 type: array privileges: items: - description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + description: >- + The cluster level privileges for the + remote cluster. The allowed values are a + subset of the cluster privileges. type: string minItems: 1 type: array @@ -22252,35 +24949,67 @@ paths: type: object properties: allow_restricted_indices: - description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + description: >- + Restricted indices are a special category of + indices that are used internally to store + configuration data and should not be + directly accessed. Only internal system + roles should normally grant privileges over + the restricted indices. Toggling this flag + is very strongly discouraged because it + could effectively grant unrestricted + operations on critical data, making the + entire system unstable or leaking sensitive + information. If for administrative purposes + you need to create a role with privileges + covering restricted indices, however, you + can set this property to true. In that case, + the names field will cover the restricted + indices too. type: boolean clusters: items: - description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + description: >- + A list of remote cluster aliases. It + supports literal strings as well as + wildcards and regular expressions. type: string minItems: 1 type: array field_security: additionalProperties: items: - description: The document fields that the role members have read access to. + description: >- + The document fields that the role + members have read access to. type: string type: array type: object names: items: - description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + description: >- + A list of remote aliases, data streams, or + indices to which the permissions apply. It + supports wildcards (*). type: string minItems: 1 type: array privileges: items: - description: The index level privileges that role members have for the specified indices. + description: >- + The index level privileges that role + members have for the specified indices. type: string minItems: 1 type: array query: - description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + description: >- + A search query that defines the documents + the role members have read access to. A + document within the specified data streams + and indices must match this query in order + for it to be accessible by the role + members. type: string required: - clusters @@ -22289,7 +25018,9 @@ paths: type: array run_as: items: - description: A user name that the role member can impersonate. + description: >- + A user name that the role member can + impersonate. type: string type: array kibana: @@ -22308,17 +25039,23 @@ paths: nullable: true oneOf: - items: - description: A base privilege that grants applies to all spaces. + description: >- + A base privilege that grants applies to + all spaces. type: string type: array - items: - description: A base privilege that applies to specific spaces. + description: >- + A base privilege that applies to specific + spaces. type: string type: array feature: additionalProperties: items: - description: The privileges that the role member has for the feature. + description: >- + The privileges that the role member has for + the feature. type: string type: array type: object @@ -22356,8 +25093,9 @@ paths: - roles /api/security/session/_invalidate: post: - description: | - Invalidate user sessions that match a query. To use this API, you must be a superuser. + description: > + Invalidate user sessions that match a query. To use this API, you must + be a superuser. operationId: post-security-session-invalidate parameters: - description: A required header to protect against CSRF attacks @@ -22372,14 +25110,19 @@ paths: application/json: examples: invalidateRequestExample1: - description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions. + description: >- + Run `POST api/security/session/_invalidate` to invalidate all + existing sessions. summary: Invalidate all sessions value: |- { "match" : "all" } invalidateRequestExample2: - description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider. + description: >- + Run `POST api/security/session/_invalidate` to invalidate + sessions that were created by any SAML authentication + provider. summary: Invalidate all SAML sessions value: |- { @@ -22389,7 +25132,10 @@ paths: } } invalidateRequestExample3: - description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`. + description: >- + Run `POST api/security/session/_invalidate` to invalidate + sessions that were created by the SAML authentication provider + named `saml1`. summary: Invalidate sessions for a provider value: |- { @@ -22399,7 +25145,11 @@ paths: } } invalidateRequestExample4: - description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`. + description: >- + Run `POST api/security/session/_invalidate` to invalidate + sessions that were created by any OpenID Connect + authentication provider for the user with the username + `user@my-oidc-sso.com`. summary: Invalidate sessions for a user value: |- { @@ -22413,27 +25163,35 @@ paths: type: object properties: match: - description: | - The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. + description: > + The method Kibana uses to determine which sessions to + invalidate. If it is `all`, all existing sessions will be + invalidated. If it is `query`, only the sessions that match + the query will be invalidated. enum: - all - query type: string query: - description: | - The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. + description: > + The query that Kibana uses to match the sessions to + invalidate when the `match` parameter is set to `query`. type: object properties: provider: - description: The authentication providers that will have their user sessions invalidated. + description: >- + The authentication providers that will have their user + sessions invalidated. type: object properties: name: description: The authentication provider name. type: string type: - description: | - The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. + description: > + The authentication provide type. For example: + `basic`, `token`, `saml`, `oidc`, `kerberos`, or + `pki`. type: string required: - type @@ -22456,16 +25214,22 @@ paths: type: integer description: Indicates a successful call '403': - description: Indicates that the user may not be authorized to invalidate sessions for other users. + description: >- + Indicates that the user may not be authorized to invalidate sessions + for other users. summary: Invalidate user sessions tags: - user session x-state: Technical Preview /api/short_url: post: - description: | - Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. - Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. + description: > + Kibana URLs may be long and cumbersome, short URLs are much easier to + remember and share. + + Short URLs are created by specifying the locator ID and locator + parameters. When a short URL is resolved, the locator ID and locator + parameters are used to redirect user to the right Kibana page. operationId: post-url requestBody: content: @@ -22474,21 +25238,33 @@ paths: type: object properties: humanReadableSlug: - description: | - When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. + description: > + When the `slug` parameter is omitted, the API will generate + a random human-readable slug if `humanReadableSlug` is set + to true. type: boolean locatorId: description: The identifier for the locator. type: string params: - description: | - An object which contains all necessary parameters for the given locator to resolve to a Kibana location. + description: > + An object which contains all necessary parameters for the + given locator to resolve to a Kibana location. + > warn - > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. + + > When you create a short URL, locator params are not + validated, which allows you to pass arbitrary and ill-formed + data into the API that can break Kibana. Make sure any data + that you send to the API is properly formed. type: object slug: - description: | - A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. + description: > + A custom short URL slug. The slug is the part of the short + URL that identifies it. You can provide a custom slug which + consists of latin alphabet letters, numbers, and `-._` + characters. The slug must be at least 3 characters long, but + no longer than 255 characters. type: string required: - locatorId @@ -22561,7 +25337,15 @@ paths: x-state: Technical Preview /api/spaces/_copy_saved_objects: post: - description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + description: >- + It also allows you to automatically copy related objects, so when you + copy a dashboard, this can automatically copy over the associated + visualizations, data views, and saved Discover sessions, as required. + You can request to overwrite any objects that already exist in the + target space if they share an identifier or you can use the resolve copy + saved objects conflicts API to do this on a per-object + basis.

[Required authorization] Route required privileges: + copySavedObjectsToSpaces. operationId: post-spaces-copy-saved-objects parameters: - description: A required header to protect against CSRF attacks @@ -22580,15 +25364,26 @@ paths: properties: compatibilityMode: default: false - description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. + description: >- + Apply various adjustments to the saved objects that are + being copied to maintain compatibility between different + Kibana versions. Use this option only if you encounter + issues with copied saved objects. This option cannot be used + with the `createNewCopies` option. type: boolean createNewCopies: default: true - description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. + description: >- + Create new copies of saved objects, regenerate each object + identifier, and reset the origin. When used, potential + conflict errors are avoided. This option cannot be used + with the `overwrite` and `compatibilityMode` options. type: boolean includeReferences: default: false - description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. + description: >- + When set to true, all saved objects related to the specified + saved objects will also be copied into the target spaces. type: boolean objects: items: @@ -22607,34 +25402,24 @@ paths: type: array overwrite: default: false - description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. + description: >- + When set to true, all conflicts are automatically + overridden. When a saved object with a matching type and + identifier exists in the target space, that version is + replaced with the version from the source space. This option + cannot be used with the `createNewCopies` option. type: boolean spaces: items: - description: The identifiers of the spaces where you want to copy the specified objects. + description: >- + The identifiers of the spaces where you want to copy the + specified objects. type: string type: array required: - spaces - objects - examples: - copySavedObjectsRequestExample1: - $ref: '#/components/examples/copy_saved_objects_request1' - copySavedObjectsRequestExample2: - $ref: '#/components/examples/copy_saved_objects_request2' - responses: - '200': - content: - application/json: - examples: - copySavedObjectsResponseExample1: - $ref: '#/components/examples/copy_saved_objects_response1' - copySavedObjectsResponseExample2: - $ref: '#/components/examples/copy_saved_objects_response2' - copySavedObjectsResponseExample3: - $ref: '#/components/examples/copy_saved_objects_response3' - copySavedObjectsResponseExample4: - $ref: '#/components/examples/copy_saved_objects_response4' + responses: {} summary: Copy saved objects between spaces tags: - spaces @@ -22662,7 +25447,9 @@ paths: type: object properties: sourceId: - description: The alias source object identifier. This is the legacy object identifier. + description: >- + The alias source object identifier. This is the legacy + object identifier. type: string targetSpace: description: The space where the alias target object exists. @@ -22677,9 +25464,6 @@ paths: type: array required: - aliases - examples: - disableLegacyURLRequestExample1: - $ref: '#/components/examples/disable_legacy_url_request1' responses: {} summary: Disable legacy URL aliases tags: @@ -22724,7 +25508,10 @@ paths: - spaces /api/spaces/_resolve_copy_saved_objects_errors: post: - description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + description: >- + Overwrite saved objects that are returned as errors from the copy saved + objects to space API.

[Required authorization] Route required + privileges: copySavedObjectsToSpaces. operationId: post-spaces-resolve-copy-saved-objects-errors parameters: - description: A required header to protect against CSRF attacks @@ -22770,20 +25557,30 @@ paths: type: object properties: createNewCopy: - description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. + description: >- + Creates new copies of the saved objects, regenerates + each object ID, and resets the origin. type: boolean destinationId: - description: Specifies the destination identifier that the copied object should have, if different from the current identifier. + description: >- + Specifies the destination identifier that the copied + object should have, if different from the current + identifier. type: string id: description: The saved object identifier. type: string ignoreMissingReferences: - description: When set to true, any missing references errors are ignored. + description: >- + When set to true, any missing references errors are + ignored. type: boolean overwrite: default: false - description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. + description: >- + When set to true, the saved object from the source + space overwrites the conflicting object in the + destination space. type: boolean type: description: The saved object type. @@ -22796,20 +25593,7 @@ paths: required: - retries - objects - examples: - resolveCopySavedObjectsRequestExample1: - $ref: '#/components/examples/resolve_copy_saved_objects_request1' - resolveCopySavedObjectsRequestExample2: - $ref: '#/components/examples/resolve_copy_saved_objects_request2' - responses: - '200': - content: - application/json: - examples: - resolveCopySavedObjectsResponseExample1: - $ref: '#/components/examples/copy_saved_objects_response1' - resolveCopySavedObjectsResponseExample2: - $ref: '#/components/examples/copy_saved_objects_response2' + responses: {} summary: Resolve conflicts copying saved objects tags: [] /api/spaces/_update_objects_spaces: @@ -22848,28 +25632,23 @@ paths: type: array spacesToAdd: items: - description: The identifiers of the spaces the saved objects should be added to or removed from. + description: >- + The identifiers of the spaces the saved objects should be + added to or removed from. type: string type: array spacesToRemove: items: - description: The identifiers of the spaces the saved objects should be added to or removed from. + description: >- + The identifiers of the spaces the saved objects should be + added to or removed from. type: string type: array required: - objects - spacesToAdd - spacesToRemove - examples: - updateObjectSpacesRequestExample1: - $ref: '#/components/examples/update_saved_objects_spaces_request1' - responses: - '200': - content: - application/json: - examples: - updateObjectSpacesResponseExample1: - $ref: '#/components/examples/update_saved_objects_spaces_response1' + responses: {} summary: Update saved objects in spaces tags: - spaces @@ -22877,7 +25656,9 @@ paths: get: operationId: get-spaces-space parameters: - - description: Specifies which authorization checks are applied to the API call. The default value is `any`. + - description: >- + Specifies which authorization checks are applied to the API call. + The default value is `any`. in: query name: purpose required: false @@ -22887,7 +25668,14 @@ paths: - copySavedObjectsIntoSpace - shareSavedObjectsIntoSpace type: string - - description: When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the `purpose` parameter. + - description: >- + When enabled, the API returns any spaces that the user is authorized + to access in any capacity and each space will contain the purposes + for which the user is authorized. This can be useful to determine + which spaces a user can read but not take a specific action in. If + the security plugin is not enabled, this parameter has no effect, + since no authorization checks take place. This parameter cannot be + used in with the `purpose` parameter. in: query name: include_authorized_purposes required: true @@ -22910,13 +25698,6 @@ paths: responses: '200': description: Indicates a successful call. - content: - application/json: - examples: - getSpacesResponseExample1: - $ref: '#/components/examples/get_spaces_response1' - getSpacesResponseExample2: - $ref: '#/components/examples/get_spaces_response2' summary: Get all spaces tags: - spaces @@ -22940,7 +25721,10 @@ paths: _reserved: type: boolean color: - description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + description: >- + The hexadecimal color code used in the space avatar. By + default, the color is automatically generated from the space + name. type: string description: description: A description for the space. @@ -22952,13 +25736,26 @@ paths: type: string type: array id: - description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + description: >- + The space ID that is part of the Kibana URL when inside the + space. Space IDs are limited to lowercase alphanumeric, + underscore, and hyphen characters (a-z, 0-9, _, and -). You + are cannot change the ID with the update operation. type: string imageUrl: - description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + description: >- + The data-URL encoded image to display in the space avatar. + If specified, initials will not be displayed and the color + will be visible as the background color for transparent + images. For best results, your image should be 64x64. Images + will not be optimized by this API call, so care should be + taken when using custom images. type: string initials: - description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + description: >- + One or two characters that are shown in the space avatar. By + default, the initials are automatically generated from the + space name. maxLength: 2 type: string name: @@ -22975,9 +25772,6 @@ paths: required: - id - name - examples: - createSpaceRequest: - $ref: '#/components/examples/create_space_request' responses: '200': description: Indicates a successful call. @@ -22986,7 +25780,9 @@ paths: - spaces /api/spaces/space/{id}: delete: - description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. + description: >- + When you delete a space, all saved objects that belong to the space are + automatically deleted, which is permanent and cannot be undone. operationId: delete-spaces-space-id parameters: - description: A required header to protect against CSRF attacks @@ -23022,11 +25818,6 @@ paths: responses: '200': description: Indicates a successful call. - content: - application/json: - examples: - getSpaceResponseExample: - $ref: '#/components/examples/get_space_response' summary: Get a space tags: - spaces @@ -23040,7 +25831,9 @@ paths: schema: example: 'true' type: string - - description: The space identifier. You are unable to change the ID with the update operation. + - description: >- + The space identifier. You are unable to change the ID with the + update operation. in: path name: id required: true @@ -23056,7 +25849,10 @@ paths: _reserved: type: boolean color: - description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + description: >- + The hexadecimal color code used in the space avatar. By + default, the color is automatically generated from the space + name. type: string description: description: A description for the space. @@ -23068,13 +25864,26 @@ paths: type: string type: array id: - description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + description: >- + The space ID that is part of the Kibana URL when inside the + space. Space IDs are limited to lowercase alphanumeric, + underscore, and hyphen characters (a-z, 0-9, _, and -). You + are cannot change the ID with the update operation. type: string imageUrl: - description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + description: >- + The data-URL encoded image to display in the space avatar. + If specified, initials will not be displayed and the color + will be visible as the background color for transparent + images. For best results, your image should be 64x64. Images + will not be optimized by this API call, so care should be + taken when using custom images. type: string initials: - description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + description: >- + One or two characters that are shown in the space avatar. By + default, the initials are automatically generated from the + space name. maxLength: 2 type: string name: @@ -23091,9 +25900,6 @@ paths: required: - id - name - examples: - updateSpaceRequest: - $ref: '#/components/examples/update_space_request' responses: '200': description: Indicates a successful call. @@ -23123,8 +25929,11 @@ paths: schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' - description: Kibana's operational status. A minimal response is sent for unauthorized users. + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. description: Overall status is OK and Kibana should be functioning normally. '503': content: @@ -23132,17 +25941,24 @@ paths: schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' - description: Kibana's operational status. A minimal response is sent for unauthorized users. - description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: >- + Kibana or some of it's essential services are unavailable. Kibana + may be degraded or unavailable. summary: Get Kibana's current status tags: - system /api/synthetics/monitors: get: - description: | + description: > Get a list of monitors. - You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + + You must have `read` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. operationId: get-synthetic-monitors parameters: - description: Additional filtering criteria. @@ -23230,8 +26046,10 @@ paths: oneOf: - type: string - type: array - - description: | - Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both. + - description: > + Specifies whether to apply logical AND filtering for specific + fields. Accepts either a string with values "tags" or "locations" or + an array containing both. in: query name: useLogicalAndFor schema: @@ -23252,7 +26070,9 @@ paths: application/json: examples: getSyntheticMonitorsResponseExample1: - description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. + description: >- + A successful response from `GET + /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. value: |- { "page": 1, @@ -23311,9 +26131,13 @@ paths: tags: - synthetics post: - description: | - Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + description: > + Create a new monitor with the specified attributes. A monitor can be one + of the following types: HTTP, TCP, ICMP, or Browser. The required and + default fields may vary based on the monitor type. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. operationId: post-synthetic-monitors requestBody: content: @@ -23361,8 +26185,10 @@ paths: "locations": ["united_kingdom"] } schema: - description: | - The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. + description: > + The request body should contain the attributes of the monitor + you want to create. The required and default fields differ + depending on the monitor type. discriminator: propertyName: type oneOf: @@ -23387,7 +26213,9 @@ paths: application/json: examples: bulkDeleteRequestExample1: - description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. + description: >- + Run `POST /api/synthetics/monitors/_bulk_delete` to delete a + list of monitors. value: |- { "ids": [ @@ -23426,12 +26254,15 @@ paths: ] schema: items: - description: The API response includes information about the deleted monitors. + description: >- + The API response includes information about the deleted + monitors. type: object properties: deleted: - description: | - If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. + description: > + If it is `true`, the monitor was successfully deleted If + it is `false`, the monitor was not deleted. type: boolean ids: description: The unique identifier of the deleted monitor. @@ -23442,9 +26273,11 @@ paths: - synthetics /api/synthetics/monitors/{id}: delete: - description: | + description: > Delete a monitor from the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. operationId: delete-synthetic-monitor parameters: - description: The identifier for the monitor that you want to delete. @@ -23471,7 +26304,9 @@ paths: application/json: examples: getSyntheticMonitorResponseExample1: - description: A successful response from `GET /api/synthetics/monitors/`. + description: >- + A successful response from `GET + /api/synthetics/monitors/`. value: |- { "type": "http", @@ -23536,10 +26371,17 @@ paths: tags: - synthetics put: - description: | - Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. - You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. + description: > + Update a monitor with the specified attributes. The required and default + fields may vary based on the monitor type. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. + + You can also partially update a monitor. This will only update the + fields that are specified in the request body. All other fields are left + unchanged. The specified fields should conform to the monitor type. For + example, you can't update the `inline_scipt` field of a HTTP monitor. operationId: put-synthetic-monitor parameters: - description: The identifier for the monitor that you want to update. @@ -23594,8 +26436,10 @@ paths: "locations": ["united_kingdom"] } schema: - description: | - The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. + description: > + The request body should contain the attributes of the monitor + you want to update. The required and default fields differ + depending on the monitor type. discriminator: propertyName: type oneOf: @@ -23610,8 +26454,10 @@ paths: - synthetics /api/synthetics/params: get: - description: | - Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + description: > + Get a list of all parameters. You must have `read` privileges for the + Synthetics feature in the Observability section of the Kibana feature + privileges. operationId: get-parameters responses: '200': @@ -23619,7 +26465,9 @@ paths: application/json: examples: getParametersResponseExample1: - description: A successful response for a user with read-only permissions to get a list of parameters. + description: >- + A successful response for a user with read-only permissions + to get a list of parameters. summary: Read access value: |- [ @@ -23639,7 +26487,9 @@ paths: } ] getParametersResponseExample2: - description: A successful response for a user with write permissions to get a list of parameters. + description: >- + A successful response for a user with write permissions to + get a list of parameters. summary: Write access value: |- [ @@ -23669,9 +26519,11 @@ paths: tags: - synthetics post: - description: | + description: > Add one or more parameters to the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. operationId: post-parameters requestBody: content: @@ -23708,7 +26560,9 @@ paths: $ref: '#/components/schemas/Synthetics_parameterRequest' type: array - $ref: '#/components/schemas/Synthetics_parameterRequest' - description: The request body can contain either a single parameter object or an array of parameter objects. + description: >- + The request body can contain either a single parameter object or an + array of parameter objects. required: true responses: '200': @@ -23755,16 +26609,20 @@ paths: - synthetics /api/synthetics/params/_bulk_delete: delete: - description: | + description: > Delete parameters from the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. operationId: delete-parameters requestBody: content: application/json: examples: deleteParametersRequestExample1: - description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters. + description: >- + Run `POST /api/synthetics/params/_bulk_delete` to delete + multiple parameters. value: |- { "ids": ["param1-id", "param2-id"] @@ -23796,8 +26654,10 @@ paths: type: object properties: deleted: - description: | - Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. + description: > + Indicates whether the parameter was successfully + deleted. It is `true` if it was deleted. It is `false` + if it was not deleted. type: boolean id: description: The unique identifier for the deleted parameter. @@ -23809,9 +26669,11 @@ paths: - synthetics /api/synthetics/params/{id}: delete: - description: | + description: > Delete a parameter from the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. operationId: delete-parameter parameters: - description: The ID for the parameter to delete. @@ -23824,9 +26686,11 @@ paths: tags: - synthetics get: - description: | + description: > Get a parameter from the Synthetics app. - You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + + You must have `read` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. operationId: get-parameter parameters: - description: The unique identifier for the parameter. @@ -23841,7 +26705,9 @@ paths: application/json: examples: getParameterResponseExample1: - description: A successful response for a user with read-only permissions to get a single parameter. + description: >- + A successful response for a user with read-only permissions + to get a single parameter. summary: Read access value: |- { @@ -23852,7 +26718,9 @@ paths: "namespaces": ["namespace1", "namespace2"] } getParameterResponseExample2: - description: A successful response for a user with write permissions to get a single parameter. + description: >- + A successful response for a user with write permissions to + get a single parameter. summary: Write access value: |- { @@ -23870,9 +26738,11 @@ paths: tags: - synthetics put: - description: | + description: > Update a parameter in the Synthetics app. - You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + + You must have `all` privileges for the Synthetics feature in the + Observability section of the Kibana feature privileges. operationId: put-parameter parameters: - description: The unique identifier for the parameter. @@ -23934,9 +26804,11 @@ paths: - synthetics /api/synthetics/private_locations: get: - description: | + description: > Get a list of private locations. - You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + + You must have `read` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. operationId: get-private-locations responses: '200': @@ -23978,14 +26850,18 @@ paths: tags: - synthetics post: - description: You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + description: >- + You must have `all` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. operationId: post-private-location requestBody: content: application/json: examples: postPrivateLocationRequestExample1: - description: Run `POST /api/private_locations` to create a private location. + description: >- + Run `POST /api/private_locations` to create a private + location. value: |- { "label": "Private Location 1", @@ -24001,7 +26877,9 @@ paths: type: object properties: agentPolicyId: - description: The ID of the agent policy associated with the private location. + description: >- + The ID of the agent policy associated with the private + location. type: string geo: description: Geographic coordinates (WGS84) for the location. @@ -24020,8 +26898,10 @@ paths: description: A label for the private location. type: string spaces: - description: | - An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. + description: > + An array of space IDs where the private location is + available. If it is not provided, the private location is + available in all spaces. items: type: string type: array @@ -24055,16 +26935,25 @@ paths: type: object description: A successful response. '400': - description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. + description: >- + If the `agentPolicyId` is already used by an existing private + location or if the `label` already exists, the API will return a 400 + Bad Request response with a corresponding error message. summary: Create a private location tags: - synthetics /api/synthetics/private_locations/{id}: delete: - description: | - You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. - The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. - A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. + description: > + You must have `all` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. + + The API does not return a response body for deletion, but it will return + an appropriate status code upon successful deletion. + + A location cannot be deleted if it has associated monitors in use. You + must delete all monitors associated with the location before deleting + the location. operationId: delete-private-location parameters: - description: The unique identifier of the private location to be deleted. @@ -24079,8 +26968,9 @@ paths: tags: - synthetics get: - description: | - You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + description: > + You must have `read` privileges for the Synthetics and Uptime feature in + the Observability section of the Kibana feature privileges. operationId: get-private-location parameters: - description: A private location identifier or label. @@ -24125,7 +27015,8 @@ paths: application/json: examples: taskManagerHealthResponse1: - $ref: '#/components/examples/Task_manager_health_APIs_health_200response' + $ref: >- + #/components/examples/Task_manager_health_APIs_health_200response schema: $ref: '#/components/schemas/Task_manager_health_APIs_health_response' description: Indicates a successful call @@ -24143,14 +27034,18 @@ paths: type: object properties: savedObjectIds: - description: The list of IDs of the Timelines or Timeline templates to delete + description: >- + The list of IDs of the Timelines or Timeline templates to + delete example: - 15c1929b-0af7-42bd-85a8-56e234cc7c4e items: type: string type: array searchIds: - description: Saved search IDs that should be deleted alongside the timelines + description: >- + Saved search IDs that should be deleted alongside the + timelines example: - 23f3-43g34g322-e5g5hrh6h-45454 - 6ce1b592-84e3-4b4a-9552-f189d4b82075 @@ -24181,6 +27076,7 @@ paths: summary: Delete Timelines or Timeline templates tags: - Security Timeline API + - access:securitySolution get: description: Get the details of an existing saved Timeline or Timeline template. operationId: GetTimeline @@ -24207,7 +27103,8 @@ paths: type: object properties: getOneTimeline: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineResponse required: - getOneTimeline required: @@ -24218,8 +27115,12 @@ paths: summary: Get Timeline or Timeline template details tags: - Security Timeline API + - access:securitySolution patch: - description: Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. + description: >- + Update an existing Timeline. You can update the title, description, date + range, pinned events, pinned queries, and/or pinned saved queries of an + existing Timeline. operationId: PatchTimeline requestBody: content: @@ -24229,14 +27130,20 @@ paths: properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: The timeline object of the Timeline or Timeline template that you’re updating. + description: >- + The timeline object of the Timeline or Timeline template + that you’re updating. timelineId: - description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. + description: >- + The `savedObjectId` of the Timeline or Timeline template + that you’re updating. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e nullable: true type: string version: - description: The version of the Timeline or Timeline template that you’re updating. + description: >- + The version of the Timeline or Timeline template that you’re + updating. example: WzE0LDFd nullable: true type: string @@ -24251,7 +27158,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse description: Indicates that the Timeline was successfully updated. '405': content: @@ -24266,10 +27174,13 @@ paths: statusCode: example: 405 type: number - description: Indicates that the user does not have the required access to create a Timeline. + description: >- + Indicates that the user does not have the required access to create + a Timeline. summary: Update a Timeline tags: - Security Timeline API + - access:securitySolution post: description: Create a new Timeline or Timeline template. operationId: CreateTimelines @@ -24307,14 +27218,17 @@ paths: type: string required: - timeline - description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. + description: >- + The required Timeline fields used to create a new Timeline, along with + optional fields that will be created if not provided. required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse description: Indicates the Timeline was successfully created. '405': content: @@ -24333,6 +27247,7 @@ paths: summary: Create a Timeline or Timeline template tags: - Security Timeline API + - access:securitySolution /api/timeline/_copy: get: description: | @@ -24357,14 +27272,19 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse description: Indicates that the timeline has been successfully copied. summary: Copies timeline or timeline template tags: - Security Timeline API + - access:securitySolution /api/timeline/_draft: get: - description: Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. + description: >- + Get the details of the draft Timeline or Timeline template for the + current user. If the user doesn't have a draft Timeline, an empty + Timeline is returned. operationId: GetDraftTimelines parameters: - in: query @@ -24377,7 +27297,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse description: Indicates that the draft Timeline was successfully retrieved. '403': content: @@ -24389,7 +27310,10 @@ paths: type: string status_code: type: number - description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. + description: >- + If a draft Timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft Timeline. '409': content: application:json: @@ -24400,15 +27324,22 @@ paths: type: string status_code: type: number - description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. + description: >- + This should never happen, but if a draft Timeline was not found and + we attempted to create one, it indicates that there is already a + draft Timeline with the given `timelineId`. summary: Get draft Timeline or Timeline template details tags: - Security Timeline API + - access:securitySolution post: - description: | + description: > Create a clean draft Timeline or Timeline template for the current user. + > info - > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + + > If the user already has a draft Timeline, the existing draft Timeline + is cleared and returned. operationId: CleanDraftTimelines requestBody: content: @@ -24420,15 +27351,21 @@ paths: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' required: - timelineType - description: The type of Timeline to create. Valid values are `default` and `template`. + description: >- + The type of Timeline to create. Valid values are `default` and + `template`. required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' - description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. '403': content: application:json: @@ -24439,7 +27376,9 @@ paths: type: string status_code: type: number - description: Indicates that the user does not have the required permissions to create a draft Timeline. + description: >- + Indicates that the user does not have the required permissions to + create a draft Timeline. '409': content: application:json: @@ -24450,10 +27389,13 @@ paths: type: string status_code: type: number - description: Indicates that there is already a draft Timeline with the given `timelineId`. + description: >- + Indicates that there is already a draft Timeline with the given + `timelineId`. summary: Create a clean draft Timeline or Timeline template tags: - Security Timeline API + - access:securitySolution /api/timeline/_export: post: description: Export Timelines as an NDJSON file. @@ -24500,6 +27442,7 @@ paths: summary: Export Timelines tags: - Security Timeline API + - access:securitySolution /api/timeline/_favorite: patch: description: Favorite a Timeline or Timeline template for the current user. @@ -24540,7 +27483,8 @@ paths: type: object properties: persistFavorite: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' + $ref: >- + #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse required: - persistFavorite required: @@ -24556,10 +27500,13 @@ paths: type: string statusCode: type: number - description: Indicates the user does not have the required permissions to persist the favorite status. + description: >- + Indicates the user does not have the required permissions to persist + the favorite status. summary: Favorite a Timeline or Timeline template tags: - Security Timeline API + - access:securitySolution /api/timeline/_import: post: description: Import Timelines. @@ -24586,7 +27533,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult description: Indicates the import of Timelines was successful. '400': content: @@ -24601,7 +27549,9 @@ paths: statusCode: example: 400 type: number - description: Indicates the import of Timelines was unsuccessful because of an invalid file extension. + description: >- + Indicates the import of Timelines was unsuccessful because of an + invalid file extension. '404': content: application/json: @@ -24615,7 +27565,9 @@ paths: statusCode: example: 404 type: number - description: Indicates that we were unable to locate the saved object client necessary to handle the import. + description: >- + Indicates that we were unable to locate the saved object client + necessary to handle the import. '409': content: application/json: @@ -24633,6 +27585,7 @@ paths: summary: Import Timelines tags: - Security Timeline API + - access:securitySolution /api/timeline/_prepackaged: post: description: Install or update prepackaged Timelines. @@ -24645,7 +27598,8 @@ paths: properties: prepackagedTimelines: items: - $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject nullable: true type: array timelinesToInstall: @@ -24669,7 +27623,8 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult description: Indicates the installation of prepackaged Timelines was successful. '500': content: @@ -24681,10 +27636,13 @@ paths: type: string statusCode: type: number - description: Indicates the installation of prepackaged Timelines was unsuccessful. + description: >- + Indicates the installation of prepackaged Timelines was + unsuccessful. summary: Install prepackaged Timelines tags: - Security Timeline API + - access:securitySolution /api/timeline/resolve: get: operationId: ResolveTimeline @@ -24708,7 +27666,8 @@ paths: - type: object properties: data: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + $ref: >- + #/components/schemas/Security_Timeline_API_ResolvedTimeline required: - data - additionalProperties: false @@ -24721,12 +27680,15 @@ paths: summary: Get an existing saved Timeline or Timeline template tags: - Security Timeline API + - access:securitySolution /api/timelines: get: description: Get a list of all saved Timelines or Timeline templates. operationId: GetTimelines parameters: - - description: If true, only timelines that are marked as favorites by the user are returned. + - description: >- + If true, only timelines that are marked as favorites by the user are + returned. in: query name: only_user_favorite schema: @@ -24804,7 +27766,8 @@ paths: type: number timeline: items: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineResponse type: array totalCount: description: The total amount of results @@ -24831,6 +27794,7 @@ paths: summary: Get Timelines or Timeline templates tags: - Security Timeline API + - access:securitySolution /api/upgrade_assistant/reindex/{index}: get: description: | @@ -24867,30 +27831,43 @@ paths: type: object properties: hasRequiredPrivileges: - description: | - Specifies whether the user has sufficient privileges to reindex this index. When security is unavailable or disabled, it is `true`. + description: > + Specifies whether the user has sufficient privileges to + reindex this index. When security is unavailable or + disabled, it is `true`. type: boolean reindexOp: type: object properties: errorMessage: - $ref: '#/components/schemas/Upgrade_assistant_APIs_errorMessage' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_errorMessage indexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_indexName' lastCompletedStep: - $ref: '#/components/schemas/Upgrade_assistant_APIs_lastCompletedStep' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_lastCompletedStep newIndexName: - $ref: '#/components/schemas/Upgrade_assistant_APIs_newIndexName' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_newIndexName reindexTaskId: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskId' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexTaskId reindexTaskPercComplete: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete status: $ref: '#/components/schemas/Upgrade_assistant_APIs_status' warnings: - description: | - An array of any warning codes that explain what changes are required for this reindex. For example: - - `0` specifies to remove the `_all` meta field. - `1` specifies to convert any coerced boolean values in the source document. For example, `yes`, `1`, and `off`. - `2` specifies to convert documents to support Elastic Common Schema. Applies only to APM indices created in 6.x. + description: > + An array of any warning codes that explain what changes + are required for this reindex. For example: + + - `0` specifies to remove the `_all` meta field. - `1` + specifies to convert any coerced boolean values in the + source document. For example, `yes`, `1`, and `off`. - `2` + specifies to convert documents to support Elastic Common + Schema. Applies only to APM indices created in 6.x. type: array description: Indicates a successful call. summary: Get the reindex status @@ -24939,13 +27916,15 @@ paths: indexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_indexName' lastCompletedStep: - $ref: '#/components/schemas/Upgrade_assistant_APIs_lastCompletedStep' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_lastCompletedStep newIndexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_newIndexName' reindexTaskId: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskId' reindexTaskPercComplete: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete status: $ref: '#/components/schemas/Upgrade_assistant_APIs_status' description: Indicates a successful call. @@ -24955,8 +27934,10 @@ paths: x-state: Technical Preview /api/upgrade_assistant/reindex/{index}/cancel: post: - description: | - Cancel reindexes that are waiting for the Elasticsearch reindex task to complete. For example, cancel reindexing if the `lastCompletedStep` has the value `40`. + description: > + Cancel reindexes that are waiting for the Elasticsearch reindex task to + complete. For example, cancel reindexing if the `lastCompletedStep` has + the value `40`. operationId: cancel-upgrade-reindex parameters: - description: The name of the index that was reindexing. @@ -24987,8 +27968,11 @@ paths: x-state: Technical Preview /api/upgrade_assistant/reindex/batch: post: - description: | - Start or resume multiple reindexing tasks in one request. Additionally, reindexing tasks started or resumed via the batch endpoint will be placed on a queue and run one-by-one, which ensures that minimal cluster resources are consumed over time. + description: > + Start or resume multiple reindexing tasks in one request. Additionally, + reindexing tasks started or resumed via the batch endpoint will be + placed on a queue and run one-by-one, which ensures that minimal cluster + resources are consumed over time. operationId: batch-start-upgrade-reindex requestBody: content: @@ -24997,8 +27981,9 @@ paths: type: object properties: indexNames: - description: | - The list of index names to be reindexed. The order of the indices determines the order that the reindex tasks are run. + description: > + The list of index names to be reindexed. The order of the + indices determines the order that the reindex tasks are run. items: type: string type: array @@ -25042,31 +28027,40 @@ paths: type: object properties: enqueued: - description: | - A list of reindex tasks created. The order in the array indicates the order in which tasks will be run. + description: > + A list of reindex tasks created. The order in the array + indicates the order in which tasks will be run. items: type: object properties: errorMessage: - $ref: '#/components/schemas/Upgrade_assistant_APIs_errorMessage' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_errorMessage indexName: - $ref: '#/components/schemas/Upgrade_assistant_APIs_indexName' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_indexName lastCompletedStep: - $ref: '#/components/schemas/Upgrade_assistant_APIs_lastCompletedStep' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_lastCompletedStep locked: $ref: '#/components/schemas/Upgrade_assistant_APIs_locked' reindexOptions: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexOptions' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexOptions reindexTaskId: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskId' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexTaskId reindexTaskPercComplete: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete runningReindexCount: - $ref: '#/components/schemas/Upgrade_assistant_APIs_runningReindexCount' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_runningReindexCount type: array errors: - description: | - A list of errors that may have occurred preventing the reindex task from being created. + description: > + A list of errors that may have occurred preventing the + reindex task from being created. items: - type: object type: array @@ -25127,27 +28121,35 @@ paths: type: object properties: queue: - description: | - Items in this array indicate reindex tasks at a given point in time and the order in which they will be run. + description: > + Items in this array indicate reindex tasks at a given + point in time and the order in which they will be run. items: type: object properties: errorMessage: - $ref: '#/components/schemas/Upgrade_assistant_APIs_errorMessage' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_errorMessage indexName: - $ref: '#/components/schemas/Upgrade_assistant_APIs_indexName' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_indexName lastCompletedStep: - $ref: '#/components/schemas/Upgrade_assistant_APIs_lastCompletedStep' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_lastCompletedStep locked: $ref: '#/components/schemas/Upgrade_assistant_APIs_locked' reindexOptions: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexOptions' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexOptions reindexTaskId: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskId' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexTaskId reindexTaskPercComplete: - $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete runningReindexCount: - $ref: '#/components/schemas/Upgrade_assistant_APIs_runningReindexCount' + $ref: >- + #/components/schemas/Upgrade_assistant_APIs_runningReindexCount type: array description: Indicates a successful call. summary: Get the batch reindex queue @@ -25181,8 +28183,9 @@ paths: x-state: Technical Preview /api/uptime/settings: get: - description: | - You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. + description: > + You must have `read` privileges for the uptime feature in the + Observability section of the Kibana feature privileges. operationId: get-uptime-settings responses: '200': @@ -25212,15 +28215,22 @@ paths: tags: - uptime put: - description: | - Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. + description: > + Update uptime setting attributes like `heartbeatIndices`, + `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or + `defaultEmail`. You must have `all` privileges for the uptime feature in + the Observability section of the Kibana feature privileges. A partial + update is supported, provided settings keys will be merged with existing + settings. operationId: put-uptime-settings requestBody: content: application/json: examples: putUptimeSettingsRequestExample1: - description: Run `PUT api/uptime/settings` to update multiple Uptime settings. + description: >- + Run `PUT api/uptime/settings` to update multiple Uptime + settings. summary: Update multiple settings value: |- { @@ -25238,7 +28248,9 @@ paths: } } putUptimeSettingsRequestExample2: - description: Run `PUT api/uptime/settings` to update a single Uptime setting. + description: >- + Run `PUT api/uptime/settings` to update a single Uptime + setting. summary: Update a setting value: |- { @@ -25249,15 +28261,21 @@ paths: properties: certAgeThreshold: default: 730 - description: The number of days after a certificate is created to trigger an alert. + description: >- + The number of days after a certificate is created to trigger + an alert. type: number certExpirationThreshold: default: 30 - description: The number of days before a certificate expires to trigger an alert. + description: >- + The number of days before a certificate expires to trigger + an alert. type: number defaultConnectors: default: [] - description: A list of connector IDs to be used as default connectors for new alerts. + description: >- + A list of connector IDs to be used as default connectors for + new alerts. type: array defaultEmail: description: | @@ -25281,8 +28299,9 @@ paths: type: array heartbeatIndices: default: heartbeat-* - description: | - An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. + description: > + An index pattern string to be used within the Uptime app and + alerts to query Heartbeat data. type: string responses: '200': @@ -25314,8 +28333,9 @@ paths: - uptime /s/{spaceId}/api/observability/slos: get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: findSlosOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25326,14 +28346,18 @@ paths: name: kqlQuery schema: type: string - - description: The page size to use for cursor-based pagination, must be greater or equal than 1 + - description: >- + The page size to use for cursor-based pagination, must be greater or + equal than 1 example: 1 in: query name: size schema: default: 1 type: integer - - description: The cursor to use for fetching the results from, when using a cursor-base pagination. + - description: >- + The cursor to use for fetching the results from, when using a + cursor-base pagination. in: query name: searchAfter schema: @@ -25377,7 +28401,9 @@ paths: - asc - desc type: string - - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings in: query name: hideStale schema: @@ -25417,8 +28443,9 @@ paths: tags: - slo post: - description: | - You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: createSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25465,8 +28492,11 @@ paths: - slo /s/{spaceId}/api/observability/slos/_bulk_delete: post: - description: | - Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + description: > + Bulk delete SLO definitions and their associated summary and rollup + data. This endpoint initiates a bulk deletion operation for SLOs, which + may take some time to complete. The status of the operation can be + checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. operationId: bulkDeleteOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25502,13 +28532,17 @@ paths: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response - summary: Bulk delete SLO definitions and their associated summary and rollup data. + summary: >- + Bulk delete SLO definitions and their associated summary and rollup + data. tags: - slo /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: - description: | - Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. + description: > + Retrieve the status of the bulk deletion operation for SLOs. This + endpoint returns the status of the bulk deletion operation, including + whether it is completed and the results of the operation. operationId: bulkDeleteStatusOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25550,8 +28584,10 @@ paths: - slo /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: post: - description: | - The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + The deletion occurs for the specified list of `sloId`. You must have + `all` privileges for the **SLOs** feature in the **Observability** + section of the Kibana feature privileges. operationId: deleteRollupDataOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25592,8 +28628,10 @@ paths: - slo /s/{spaceId}/api/observability/slos/_delete_instances: post: - description: | - The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: deleteSloInstancesOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25630,8 +28668,9 @@ paths: - slo /s/{spaceId}/api/observability/slos/{sloId}: delete: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: deleteSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25668,8 +28707,9 @@ paths: tags: - slo get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: getSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25716,8 +28756,9 @@ paths: tags: - slo put: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: updateSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25765,8 +28806,9 @@ paths: - slo /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: resetSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25808,8 +28850,9 @@ paths: - slo /s/{spaceId}/api/observability/slos/{sloId}/disable: post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: disableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25847,8 +28890,9 @@ paths: - slo /s/{spaceId}/api/observability/slos/{sloId}/enable: post: - description: | - You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: enableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -25886,13 +28930,16 @@ paths: - slo /s/{spaceId}/internal/observability/slos/_definitions: get: - description: | - You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. operationId: getDefinitionsOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - - description: Indicates if the API returns only outdated SLO or all SLO definitions + - description: >- + Indicates if the API returns only outdated SLO or all SLO + definitions example: true in: query name: includeOutdatedOnly @@ -26196,7 +29243,9 @@ components: owner: cases type: user Cases_add_comment_response: - summary: The add comment to case API returns a JSON object that contains details about the case and its comments. + summary: >- + The add comment to case API returns a JSON object that contains details + about the case and its comments. value: assignees: [] category: null @@ -26275,7 +29324,9 @@ components: - tag-1 title: Case title 1 Cases_create_case_response: - summary: The create case API returns a JSON object that contains details about the case. + summary: >- + The create case API returns a JSON object that contains details about + the case. value: assignees: [] closed_at: null @@ -26394,7 +29445,9 @@ components: type: assignees version: WzM1ODg4LDFb Cases_find_case_response: - summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time. + summary: >- + Retrieve the first five cases with the `tag-1` tag, in ascending order + by last update time. value: cases: - assignees: [] @@ -26519,7 +29572,9 @@ components: updated_by: null version: WzEyLDNd Cases_get_case_observability_response: - summary: Retrieves information about an Observability case including its alerts and comments. + summary: >- + Retrieves information about an Observability case including its alerts + and comments. value: assignees: - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 @@ -26696,7 +29751,9 @@ components: - tag 1 - tag 2 Cases_push_case_response: - summary: The push case API returns a JSON object with details about the case and the external service. + summary: >- + The push case API returns a JSON object with details about the case and + the external service. value: closed_at: null closed_by: null @@ -26745,7 +29802,9 @@ components: username: elastic version: WzE3NjgsM10= Cases_set_case_configuration_request: - summary: Set the closure type, custom fields, and default connector for Stack Management cases. + summary: >- + Set the closure type, custom fields, and default connector for Stack + Management cases. value: closure_type: close-by-user connector: @@ -26932,7 +29991,9 @@ components: - tag-1 version: WzIzLDFd Cases_update_case_response: - summary: This is an example response when the case description, tags, and connector were updated. + summary: >- + This is an example response when the case description, tags, and + connector were updated. value: - assignees: [] category: null @@ -27000,7 +30061,9 @@ components: type: user version: Wzk1LDFd Cases_update_comment_response: - summary: The add comment to case API returns a JSON object that contains details about the case and its comments. + summary: >- + The add comment to case API returns a JSON object that contains details + about the case and its comments. value: assignees: [] category: null @@ -27085,7 +30148,9 @@ components: source: emit(doc["foo"].value) type: long Data_views_get_data_view_response: - summary: The get data view API returns a JSON object that contains information about the data view. + summary: >- + The get data view API returns a JSON object that contains information + about the data view. value: data_view: allowNoIndex: false @@ -28036,7 +31101,10 @@ components: value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f Data_views_get_runtime_field_response: - summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + summary: >- + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false @@ -28545,7 +31613,9 @@ components: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f force: true Data_views_swap_data_view_request: - summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. + summary: >- + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. value: delete: true fromId: abcd-efg @@ -28596,12 +31666,25 @@ components: - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 type: map Saved_objects_export_objects_response: - summary: The export objects API response contains a JSON record for each exported object. + summary: >- + The export objects API response contains a JSON record for each exported + object. value: attributes: description: '' - layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]' - mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}' + layerListJSON: >- + [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total + Requests by + Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web + logs + count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual + Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total + Requests and + Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web + logs + count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] + mapStateJSON: >- + {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} title: '[Logs] Total Requests and Bytes' uiStateJSON: '{"isDarkMode":false}' coreMigrationVersion: 8.8.0 @@ -28626,7 +31709,10 @@ components: value: file: file.ndjson Saved_objects_import_objects_response: - summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute. + summary: >- + The import objects API response indicates a successful import and the + objects are created. Since these objects are created as new copies, each + entry in the successResults array includes a destinationId attribute. value: success: true successCount: 1 @@ -29906,1614 +32992,6 @@ components: } } } - get_connector_types_generativeai_response: - summary: A list of connector types for the `generativeAI` feature. - value: - - id: .gen-ai - name: OpenAI - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .bedrock - name: AWS Bedrock - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .gemini - name: Google Gemini - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - is_system_action_type: false - get_connector_response: - summary: Get connector details. - value: - id: df770e30-8b8b-11ed-a780-3b746c987a81 - name: my_server_log_connector - config: {} - connector_type_id: .server-log - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - update_index_connector_request: - summary: Update an index connector. - value: - name: updated-connector - config: - index: updated-index - create_email_connector_request: - summary: Create an email connector. - value: - name: email-connector-1 - connector_type_id: .email - config: - from: tester@example.com - hasAuth: true - host: https://example.com - port: 1025 - secure: false - service: other - secrets: - user: username - password: password - create_index_connector_request: - summary: Create an index connector. - value: - name: my-connector - connector_type_id: .index - config: - index: test-index - create_webhook_connector_request: - summary: Create a webhook connector with SSL authentication. - value: - name: my-webhook-connector - connector_type_id: .webhook - config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key - secrets: - crt: QmFnIEF0dH... - key: LS0tLS1CRUdJ... - password: my-passphrase - create_xmatters_connector_request: - summary: Create an xMatters connector with URL authentication. - value: - name: my-xmatters-connector - connector_type_id: .xmatters - config: - usesBasic: false - secrets: - secretsUrl: https://example.com?apiKey=xxxxx - create_email_connector_response: - summary: A new email connector. - value: - id: 90a82c60-478f-11ee-a343-f98a117c727f - connector_type_id: .email - name: email-connector-1 - config: - from: tester@example.com - service: other - host: https://example.com - port: 1025 - secure: false - hasAuth: true - tenantId: null - clientId: null - oauthTokenUrl: null - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - create_index_connector_response: - summary: A new index connector. - value: - id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad - connector_type_id: .index - name: my-connector - config: - index: test-index - refresh: false - executionTimeField: null - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - create_webhook_connector_response: - summary: A new webhook connector. - value: - id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd - name: my-webhook-connector - config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key - verificationMode: full - headers: null - hasAuth: true - connector_type_id: .webhook - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - run_index_connector_request: - summary: Run an index connector. - value: - params: - documents: - - id: my_doc_id - name: my_doc_name - message: hello, world - run_jira_connector_request: - summary: Run a Jira connector to retrieve the list of issue types. - value: - params: - subAction: issueTypes - run_servicenow_itom_connector_request: - summary: Run a ServiceNow ITOM connector to retrieve the list of choices. - value: - params: - subAction: getChoices - subActionParams: - fields: - - severity - - urgency - run_slack_api_connector_request: - summary: Run a Slack connector that uses the web API method to post a message on a channel. - value: - params: - subAction: postMessage - subActionParams: - channelIds: - - C123ABC456 - text: A test message. - run_swimlane_connector_request: - summary: Run a Swimlane connector to create an incident. - value: - params: - subAction: pushToService - subActionParams: - comments: - - commentId: 1 - comment: A comment about the incident. - incident: - caseId: '1000' - caseName: Case name - description: Description of the incident. - run_index_connector_response: - summary: Response from running an index connector. - value: - connector_id: fd38c600-96a5-11ed-bb79-353b74189cba - data: - errors: false - items: - - create: - _id: 4JtvwYUBrcyxt2NnfW3y - _index: my-index - _primary_term: 1 - _seq_no: 0 - _shards: - failed: 0 - successful: 1 - total: 2 - _version: 1 - result: created - status: 201 - took: 135 - status: ok - run_jira_connector_response: - summary: Response from retrieving the list of issue types for a Jira connector. - value: - connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 - data: - - id: 10024 - name: Improvement - - id: 10006 - name: Task - - id: 10007 - name: Sub-task - - id: 10025 - name: New Feature - - id: 10023 - name: Bug - - id: 10000 - name: Epic - status: ok - run_server_log_connector_response: - summary: Response from running a server log connector. - value: - connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 - status: ok - run_servicenow_itom_connector_response: - summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. - value: - connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 - data: - - dependent_value: '' - element: severity - label: Critical - value: 1 - - dependent_value: '' - element: severity - label: Major - value: 2 - - dependent_value: '' - element: severity - label: Minor - value: 3 - - dependent_value: '' - element: severity - label: Warning - value: 4 - - dependent_value: '' - element: severity - label: OK - value: 5 - - dependent_value: '' - element: severity - label: Clear - value: 0 - - dependent_value: '' - element: urgency - label: 1 - High - value: 1 - - dependent_value: '' - element: urgency - label: 2 - Medium - value: 2 - - dependent_value: '' - element: urgency - label: 3 - Low - value: 3 - status: ok - run_slack_api_connector_response: - summary: Response from posting a message with a Slack connector. - value: - status: ok - data: - ok: true - channel: C123ABC456 - ts: '1234567890.123456' - message: - bot_id: B12BCDEFGHI - type: message - text: A test message - user: U12A345BC6D - ts: '1234567890.123456' - app_id: A01BC2D34EF - blocks: - - type: rich_text - block_id: /NXe - elements: - - type: rich_text_section - elements: - - type: text - text: A test message. - team: T01ABCDE2F - bot_profile: - id: B12BCDEFGHI - app_id: A01BC2D34EF - name: test - icons: - image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png - deleted: false - updated: 1672169705 - team_id: T01ABCDE2F - connector_id: .slack_api - run_swimlane_connector_response: - summary: Response from creating a Swimlane incident. - value: - connector_id: a4746470-2f94-11ed-b0e0-87533c532698 - data: - id: aKPmBHWzmdRQtx6Mx - title: TEST-457 - url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx - pushedDate: '2022-09-08T16:52:27.866Z' - comments: - - commentId: 1 - pushedDate: '2022-09-08T16:52:27.865Z' - status: ok - get_connectors_response: - summary: A list of connectors - value: - - id: preconfigured-email-connector - name: my-preconfigured-email-notification - connector_type_id: .email - is_preconfigured: true - is_deprecated: false - referenced_by_count: 0 - is_system_action: false - - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 - name: my-index-connector - config: - index: test-index - refresh: false - executionTimeField: null - connector_type_id: .index - is_preconfigured: false - is_deprecated: false - referenced_by_count: 2 - is_missing_secrets: false - is_system_action: false - update_rule_request: - summary: Index threshold rule - description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. - value: - actions: - - frequency: - summary: false - notify_when: onActionGroupChange - group: threshold met - id: 96b668d0-a1b6-11ed-afdf-d39a49596974 - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - params: - aggField: sheet.version - aggType: avg - index: - - .updated-index - groupBy: top - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - name: new name - schedule: - interval: 1m - tags: [] - update_rule_response: - summary: Index threshold rule - description: The response for successfully updating an index threshold rule. - value: - id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 - consumer: alerts - tags: [] - name: new name - enabled: true - throttle: null - revision: 1 - running: false - schedule: - interval: 1m - params: - index: - - .updated-index - timeField: '@timestamp' - groupBy: top - aggType: avg - timeWindowSize: 5 - timeWindowUnit: m - thresholdComparator: '>' - threshold: - - 1000 - aggField: sheet.version - termField: name.keyword - termSize: 6 - api_key_owner: elastic - created_by: elastic - updated_by: elastic - rule_type_id: .index-threshold - scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea - created_at: '2024-03-26T23:13:20.985Z' - updated_at: '2024-03-26T23:22:59.949Z' - mute_all: false - muted_alert_ids: [] - execution_status: - status: ok - last_execution_date: '2024-03-26T23:22:51.390Z' - last_duration: 52 - actions: - - group: threshold met - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date} - id: 96b668d0-a1b6-11ed-afdf-d39a49596974 - uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d - connector_type_id: .server-log - frequency: - summary: false - throttle: null - notify_when: onActionGroupChange - last_run: - alerts_count: - new: 0 - ignored: 0 - recovered: 0 - active: 0 - outcome_msg: null - warning: null - outcome: succeeded - next_run: '2024-03-26T23:23:51.316Z' - api_key_created_by_user: false - create_es_query_esql_rule_request: - summary: Elasticsearch query rule (ES|QL) - description: | - Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. - value: - name: my Elasticsearch query ESQL rule - params: - searchType: esqlQuery - esqlQuery: - esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - size: 0 - thresholdComparator: '>' - threshold: - - 0 - consumer: stackAlerts - rule_type_id: .es-query - schedule: - interval: 1d - actions: - - group: query matched - id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 - params: - level: info - message: |- - Elasticsearch query rule '{{rule.name}}' is active: - - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} - frequency: - summary: false - notify_when: onActiveAlert - create_es_query_rule_request: - summary: Elasticsearch query rule (DSL) - description: | - Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. - value: - actions: - - group: query matched - params: - level: info - message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - id: fdbece50-406c-11ee-850e-c71febc4ca7f - frequency: - throttle: 1d - summary: true - notify_when: onThrottleInterval - - group: recovered - params: - level: info - message: Recovered - id: fdbece50-406c-11ee-850e-c71febc4ca7f - frequency: - summary: false - notify_when: onActionGroupChange - consumer: alerts - name: my Elasticsearch query rule - params: - esQuery: '"""{"query":{"match_all" : {}}}"""' - index: - - kibana_sample_data_logs - size: 100 - threshold: - - 100 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - rule_type_id: .es-query - schedule: - interval: 1d - create_es_query_kql_rule_request: - summary: Elasticsearch query rule (KQL) - description: Create an Elasticsearch query rule that uses Kibana query language (KQL). - value: - consumer: alerts - name: my Elasticsearch query KQL rule - params: - aggType: count - excludeHitsFromPreviousRun: true - groupBy: all - searchConfiguration: - query: - query: '""geo.src : "US" ""' - language: kuery - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - searchType: searchSource - size: 100 - threshold: - - 1000 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - rule_type_id: .es-query - schedule: - interval: 1m - create_index_threshold_rule_request: - summary: Index threshold rule - description: | - Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. - value: - actions: - - id: 48de3460-f401-11ed-9f8e-399c75a2deeb - frequency: - notify_when: onActionGroupChange - summary: false - group: threshold met - params: - level: info - message: |- - Rule '{{rule.name}}' is active for group '{{context.group}}': - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - alert_delay: - active: 3 - consumer: alerts - name: my rule - params: - aggType: avg - termSize: 6 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - groupBy: top - threshold: - - 1000 - index: - - .test-index - timeField: '@timestamp' - aggField: sheet.version - termField: name.keyword - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - create_tracking_containment_rule_request: - summary: Tracking containment rule - description: | - Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. - value: - consumer: alerts - name: my tracking rule - params: - index: kibana_sample_data_logs - dateField": '@timestamp' - geoField: geo.coordinates - entity: agent.keyword - boundaryType: entireIndex - boundaryIndexTitle: boundary* - boundaryGeoField: location - boundaryNameField: name - indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 - boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc - rule_type_id: .geo-containment - schedule: - interval: 1h - create_es_query_esql_rule_response: - summary: Elasticsearch query rule (ES|QL) - description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). - value: - id: e0d62360-78e8-11ee-9177-f7d404c8c945 - enabled: true - name: my Elasticsearch query ESQL rule - tags: [] - rule_type_id: .es-query - consumer: stackAlerts - schedule: - interval: 1d - actions: - - group: query matched - id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 - params: - level: info - message: |- - Elasticsearch query rule '{{rule.name}}' is active: - - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} - connector_type_id: .server-log - frequency: - summary: false - notify_when: onActiveAlert - throttle: null - uuid: bfe370a3-531b-4855-bbe6-ad739f578844 - params: - searchType: esqlQuery - esqlQuery: - esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - size: 0 - thresholdComparator: '>' - threshold: - - 0 - excludeHitsFromPreviousRun": true, - aggType: count - groupBy: all - scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 - created_by: elastic - updated_by: elastic", - created_at: '2023-11-01T19:00:10.453Z' - updated_at: '2023-11-01T19:00:10.453Z' - api_key_owner: elastic - api_key_created_by_user: false - throttle: null - mute_all: false - notify_when: null - muted_alert_ids: [] - execution_status: - status: pending - last_execution_date: '2023-11-01T19:00:10.453Z' - revision: 0 - running: false - create_es_query_rule_response: - summary: Elasticsearch query rule (DSL) - description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). - value: - id: 58148c70-407f-11ee-850e-c71febc4ca7f - enabled: true - name: my Elasticsearch query rule - tags: [] - rule_type_id: .es-query - consumer: alerts - schedule: - interval: 1d - actions: - - group: query matched - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - connector_type_id: .server-log - frequency: - summary: true - notify_when: onThrottleInterval - throttle: 1d - uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 - - group: recovered - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: Recovered - connector_type_id: .server-log - frequency: - summary: false - notify_when: onActionGroupChange - throttle: null - uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 - params: - thresholdComparator: '>' - timeWindowSize: 1 - timeWindowUnit: d - threshold: - - 100 - size: 100 - timeField: '@timestamp' - index: - - kibana_sample_data_logs - esQuery: '"""{"query":{"match_all" : {}}}"""' - excludeHitsFromPreviousRun: true - aggType: count - groupBy: all - searchType: esQuery - scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f - created_by: elastic - updated_by: elastic - created_at: '2023-08-22T00:03:38.263Z' - updated_at: '2023-08-22T00:03:38.263Z' - api_key_owner: elastic - api_key_created_by_user: false - throttle: null - mute_all: false - notify_when: null - muted_alert_ids: [] - execution_status: - status: pending - last_execution_date: '2023-08-22T00:03:38.263Z' - revision: 0 - running: false - create_es_query_kql_rule_response: - summary: Elasticsearch query rule (KQL) - description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). - value: - id: 7bd506d0-2284-11ee-8fad-6101956ced88 - enabled: true - name: my Elasticsearch query KQL rule" - tags: [] - rule_type_id: .es-query - consumer: alerts - schedule: - interval: 1m - actions: [] - params: - searchConfiguration: - query: - query: '""geo.src : "US" ""' - language: kuery - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - searchType: searchSource - timeWindowSize: 5 - timeWindowUnit: m - threshold: - - 1000 - thresholdComparator: '>' - size: 100 - aggType: count - groupBy: all - excludeHitsFromPreviousRun: true - created_by: elastic - updated_by: elastic - created_at: '2023-07-14T20:24:50.729Z' - updated_at: '2023-07-14T20:24:50.729Z' - api_key_owner: elastic - api_key_created_by_user: false - throttle: null - notify_when: null - mute_all: false - muted_alert_ids: [] - scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 - execution_status: - status: pending - last_execution_date: '2023-07-14T20:24:50.729Z' - revision: 0 - running: false - create_index_threshold_rule_response: - summary: Index threshold rule - description: The response for successfully creating an index threshold rule. - value: - actions: - - group: threshold met - id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 - uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d - connector_type_id: .server-log - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group} : - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - alert_delay: - active: 3 - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2022-06-08T17:20:31.632Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2022-06-08T17:20:31.632Z' - status: pending - id: 41893910-6bca-11eb-9e0d-85d233e3ee35 - muted_alert_ids: [] - mute_all: false - name: my rule - notify_when: null - params: - aggType: avg - termSize: 6 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - groupBy: top - threshold: - - 1000 - index: - - .test-index - timeField: '@timestamp' - aggField: sheet.version - termField: name.keyword - revision: 0 - rule_type_id: .index-threshold - running: false - schedule: - interval: 1m - scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 - tags: - - cpu - throttle: null - updated_at: '2022-06-08T17:20:31.632Z' - updated_by: elastic - create_tracking_containment_rule_response: - summary: Tracking containment rule - description: The response for successfully creating a tracking containment rule. - value: - id: b6883f9d-5f70-4758-a66e-369d7c26012f - name: my tracking rule - tags: [] - enabled: true - consumer: alerts - throttle: null - revision: 1 - running: false - schedule: - interval: 1h - params: - index: kibana_sample_data_logs - dateField: '@timestamp' - geoField: geo.coordinates - entity: agent.keyword - boundaryType: entireIndex - boundaryIndexTitle: boundary* - boundaryGeoField: location - boundaryNameField: name - indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 - boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc - rule_type_id: .geo-containment - created_by: elastic - updated_by: elastic - created_at: '2024-02-14T19:52:55.920Z' - updated_at: '2024-02-15T03:24:32.574Z' - api_key_owner: elastic - notify_when: null - mute_all: false - muted_alert_ids: [] - scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f - execution_status: - status: ok - last_execution_date: '2024-02-15T03:25:38.125Z' - last_duration: 74 - actions: [] - last_run: - alerts_count: - active: 0 - new: 0 - recovered: 0 - ignored: 0 - outcome_msg: null - outcome_order: 0 - outcome: succeeded - warning: null - next_run: '2024-02-15T03:26:38.033Z' - api_key_created_by_user: false - find_rules_response: - summary: Index threshold rule - description: A response that contains information about an index threshold rule. - value: - page: 1 - total: 1 - per_page: 10 - data: - - id: 3583a470-74f6-11ed-9801-35303b735aef - consumer: alerts - tags: - - cpu - name: my alert - enabled: true - throttle: null - schedule: - interval: 1m - params: - aggType: avg - termSize: 6 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - groupBy: top - threshold: - - 1000 - index: - - test-index - timeField: '@timestamp' - aggField: sheet.version - termField: name.keyword - revision: 1 - rule_type_id: .index-threshold - created_by: elastic - updated_by: elastic - created_at: '2022-12-05T23:40:33.132Z' - updated_at: '2022-12-05T23:40:33.132Z' - api_key_owner: elastic - mute_all: false - muted_alert_ids: [] - scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef - execution_status: - status: ok - last_execution_date: '2022-12-06T01:44:23.983Z' - last_duration: 48 - actions: - - id: 9dca3e00-74f5-11ed-9801-35303b735aef - group: threshold met - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - params: - level: info - message: |- - Rule {{rule.name}} is active for group {{context.group}}: - - - Value: {{context.value}} - - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - connector_type_id: .server-log - frequency: - summary: false - notify_when: onActionGroupChange - throttle: null - last_run: - alerts_count: - new: 0 - ignored: 0 - recovered: 0 - active: 0 - outcome_msg: null - warning: null - outcome: succeeded - next_run: '2022-12-06T01:45:23.912Z' - api_key_created_by_user: false - find_rules_response_conditional_action: - summary: Security rule - description: A response that contains information about a security rule that has conditional actions. - value: - page: 1 - total: 1 - per_page: 10 - data: - - id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb - name: security_rule - consumer: siem - enabled: true - tags: [] - throttle: null - revision: 1 - running: false - schedule: - interval: 1m - params: - author: [] - description: A security threshold rule. - ruleId: an_internal_rule_id - falsePositives: [] - from: now-3660s - immutable: false - license: '' - outputIndex: '' - meta: - from: 1h - kibana_siem_app_url: https://localhost:5601/app/security - maxSignals: 100 - riskScore: 21 - riskScoreMapping: [] - severity: low - severityMapping: [] - threat: [] - to: now - references: [] - version: 1 - exceptionsList: [] - type: threshold - language: kuery - index: - - kibana_sample_data_logs - query: '*' - filters: [] - threshold: - field: - - bytes - value: 1 - cardinality: [] - rule_type_id: siem.thresholdRule - created_by: elastic - updated_by: elastic - created_at: '2023-05-16T15:50:28.358Z' - updated_at: '2023-05-16T20:25:42.559Z' - api_key_owner: elastic - notify_when: null - mute_all: false - muted_alert_ids: [] - scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb - execution_status: - status: ok - last_execution_date: '2023-05-16T20:26:49.590Z' - last_duration: 166 - actions: - - group: default - id: 49eae970-f401-11ed-9f8e-399c75a2deeb - params: - documents: - - rule_id: - '[object Object]': null - rule_name: - '[object Object]': null - alert_id: - '[object Object]': null - context_message: - '[object Object]': null - connector_type_id: .index - frequency: - summary: true - notify_when: onActiveAlert - throttle: null - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - alerts_filter: - timeframe: - days: - - 7 - timezone: UTC - hours: - start: '08:00' - end: '17:00' - query: - kql: '' - filters: - - meta: - disabled: false - negate: false - alias: null - index: c4bdca79-e69e-4d80-82a1-e5192c621bea - key: client.geo.region_iso_code - field: client.geo.region_iso_code - params: - query: CA-QC - type: phrase - $state: - store: appState - query: - match_phrase: - client.geo.region_iso_code: CA-QC - last_run: - alerts_count: - new: 0 - ignored: 0 - recovered: 0 - active: 0 - outcome_msg: - - Rule execution completed successfully - outcome_order: 0 - warning: null - outcome: succeeded - next_run: '2023-05-16T20:27:49.507Z' - api_key_created_by_user: false - get_roles_response1: - summary: Get all role details - value: - - name: my_kibana_role - description: My kibana role description - metadata: - version: 1 - transient_metadata: - enabled: true - elasticsearch: - indices: [] - cluster: [] - run_as: [] - kibana: - - base: - - all - feature: {} - spaces: - - '*' - - name: my_admin_role - description: My admin role description - metadata: - version: 1 - transient_metadata: - enabled: true - elasticsearch: - cluster: - - all - indices: - - names: - - index1 - - index2 - privileges: - - all - field_security: - grant: - - title - - body - query: '{\"match\": {\"title\": \"foo\"}}' - kibana: [] - get_role_response1: - summary: Get role details - value: - name: my_kibana_role - description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. - metadata: - version: 1 - transient_metadata: - enabled: true - elasticsearch: - cluster: - - all - remote_cluster: - - privileges: - - monitor_enrich - clusters: - - remote_cluster1 - indices: - - names: - - index1 - - index2 - privileges: - - all - allow_restricted_indices: false - remote_indices: - - names: - - remote_index1 - - remote_index2 - privileges: - - all - allow_restricted_indices: false - clusters: - - remote_cluster1 - run_as: [] - kibana: - - base: - - all - feature: {} - spaces: - - default - _transform_error: [] - _unrecognized_applications: [] - create_role_request1: - summary: Feature privileges in multiple spaces - description: Grant access to various features in some spaces. - value: - description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. - metadata: - version: 1 - elasticsearch: - cluster: [] - indices: [] - kibana: - - base: [] - feature: - discover: - - all - dashboard: - - all - spaces: - - default - - base: - - read - spaces: - - marketing - - sales - create_role_request2: - summary: Dashboard privileges in a space - description: Grant access to dashboard features in a Marketing space. - value: - description: Grant dashboard access in the Marketing space. - metadata: - version: 1 - elasticsearch: - cluster: [] - indices: [] - kibana: - - base: [] - feature: - dashboard: - - read - spaces: - - marketing - create_role_request3: - summary: Feature privileges in a space - description: Grant full access to all features in the default space. - value: - metadata: - version: 1 - elasticsearch: - cluster: [] - indices: [] - kibana: - - base: - - all - feature: {} - spaces: - - default - create_role_request4: - summary: Elasticsearch and Kibana feature privileges - description: Grant Elasticsearch and Kibana feature privileges. - value: - description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. - metadata: - version: 1 - elasticsearch: - cluster: - - all - indices: - - names: - - index1 - - index2 - privileges: - - all - remote_indices: - - clusters: - - remote_cluster1 - names: - - remote_index1 - - remote_index2 - privileges: - - all - remote_cluster: - - clusters: - - remote_cluster1 - privileges: - - monitor_enrich - kibana: - - base: - - all - feature: {} - spaces: - - default - copy_saved_objects_request1: - summary: Copy with createNewCopies - description: | - Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. - value: - objects: - - type: dashboard - id: my-dashboard - spaces: - - marketing - includeReferences: true - copy_saved_objects_request2: - summary: Copy without createNewCopies - description: | - Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. - value: - objects: - - type: dashboard - id: my-dashboard - spaces: - - marketing - includeReferences: true - createNewCopies: false - copy_saved_objects_response1: - summary: Copy with createNewCopies - description: | - The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute. - value: - marketing: - success: true - successCount: 3 - successResults: - - id: my-dashboard - type: dashboard - destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f - meta: - icon: dashboardApp - title: Look at my dashboard - - id: my-vis - type: visualization - destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04 - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-index-pattern - type: index-pattern - destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b - meta: - icon: indexPatternApp - title: my-pattern-* - copy_saved_objects_response2: - summary: Copy without createNewCopies - description: | - The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created. - value: - marketing: - success: true - successCount: 3 - successResults: - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - - id: my-vis - type: visualization - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-index-pattern - type: index-pattern - meta: - icon: indexPatternApp - title: my-pattern-* - copy_saved_objects_response3: - summary: Failed copy response with conflict errors - description: | - A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API. - value: - marketing: - success: true - successCount: 4 - successResults: - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - - id: my-vis - type: visualization - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-canvas - type: canvas-workpad - meta: - icon: canvasApp - title: Look at my canvas - - id: my-index-pattern - type: index-pattern - meta: - icon: indexPatternApp - title: my-pattern-* - sales: - success: false - successCount: 1, - errors: - - id: my-pattern - type: index-pattern - title: my-pattern-* - error: - type: conflict - meta: - icon: indexPatternApp - title: my-pattern-* - - id: my-visualization - type: my-vis - title: Look at my visualization - error: - type: conflict - destinationId: another-vis - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-canvas - type: canvas-workpad - title: Look at my canvas - error: - type: ambiguous_conflict - destinations: - - id: another-canvas - title: Look at another canvas - updatedAt: '2020-07-08T16:36:32.377Z' - - id: yet-another-canvas - title: Look at yet another canvas - updatedAt: '2020-07-05T12:29:54.849Z' - meta: - icon: canvasApp - title: Look at my canvas - successResults": - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - copy_saved_objects_response4: - summary: Failed copy with missing reference errors - description: | - The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API. - value: - marketing: - success: false - successCount: 2 - errors: - - id: my-vis - type: visualization - title: Look at my visualization - error: - type: missing_references - references: - - type: index-pattern - id: my-pattern-* - meta: - icon: visualizeApp - title: Look at my visualization - successResults: - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - - id: my-canvas - type: canvas-workpad - meta: - icon: canvasApp - title: Look at my canvas - disable_legacy_url_request1: - summary: Disable legacy URL aliases - description: | - This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL. - value: - aliases: - - targetSpace: bills-space - targetType: dashboard - sourceId: 123 - resolve_copy_saved_objects_request1: - summary: Resolve conflict errors - description: | - Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly. - value: - objects: - - type: dashboard - id: my-dashboard - includeReferences: true - createNewCopies: false - retries: - sales: - - type: index-pattern - id: my-pattern - overwrite: true - - type: visualization - id: my-vis - overwrite: true, - destinationId: another-vis - - type: canvas - id: my-canvas - overwrite: true - destinationId: yet-another-canvas - - type: dashboard - id: my-dashboard - resolve_copy_saved_objects_request2: - summary: Resolve missing reference errors - description: | - Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly. - value: - objects: - - type: dashboard - id: my-dashboard - includeReferences: true - createNewCopies: false - retries: - marketing: - - type: visualization - id: my-vis - ignoreMissingReferences: true - - type: canvas - id: my-canvas - - type: dashboard - id: my-dashboard - update_saved_objects_spaces_request1: - summary: Update saved object spaces - description: Update the spaces of each saved object and all its references. - value: - objects: - - type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - spacesToAdd: - - test - spacesToRemove: [] - update_saved_objects_spaces_response1: - summary: Update saved object spaces - description: | - The response from updating the spaces of saved objects. - value: - objects: - - type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - spaces: - - default - - test - get_spaces_response1: - summary: Get all spaces - description: Get all spaces without specifying any options. - value: - - id: default - name: Default - description: This is the Default Space - disabledFeatures: [] - imageUrl: '' - _reserved: true - - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - disabledFeatures: - - apm - initials: MK - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - - id: sales - name: Sales - initials: MK - disabledFeatures: - - discover - imageUr": '' - solution: oblt - get_spaces_response2: - summary: Get all spaces with custom options - description: | - The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" - value: - - id: default - name: Default - description: This is the Default Space - disabledFeatures: [] - imageUrl: '' - _reserved: true - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: true - findSavedObjects: true - shareSavedObjectsIntoSpace: true - - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - disabledFeatures: - - apm - initials: MK - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: true - findSavedObjects: true - shareSavedObjectsIntoSpace: true - - id: sales - name: Sales - initials: MK - disabledFeatures: - - discover - imageUrl: '' - authorizedPurposes: - any: true - copySavedObjectsIntoSpace: false - findSavedObjects: true - shareSavedObjectsIntoSpace: false - create_space_request: - summary: Create a marketing space - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== - get_space_response: - summary: Get details about a marketing space - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: '' - solution: es - update_space_request: - summary: Update a marketing space - description: Update the marketing space to remove the imageUrl. - value: - id: marketing - name: Marketing - description: This is the Marketing Space - color: null - initials: MK - disabledFeatures: [] - imageUrl: '' parameters: Alerting_kbn_xsrf: description: Cross-site request forgery protection @@ -31549,8 +33027,10 @@ components: example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 type: string Cases_assignees_filter: - description: | - Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. + description: > + Filters the returned cases by assignees. Valid values are `none` or + unique identifiers for the user profiles. These identifiers can be found + by using the suggest user profile API. in: query name: assignees schema: @@ -31558,7 +33038,9 @@ components: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_case_id: - description: The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. + description: >- + The identifier for the case. To retrieve case IDs, use the find cases + API. All non-ASCII characters must be URL encoded. in: path name: caseId required: true @@ -31574,8 +33056,9 @@ components: - $ref: '#/components/schemas/Cases_case_category' - $ref: '#/components/schemas/Cases_case_categories' Cases_comment_id: - description: | - The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. + description: > + The identifier for the comment. To retrieve comment IDs, use the get + case or find cases APIs. in: path name: commentId required: true @@ -31591,7 +33074,9 @@ components: example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 type: string Cases_connector_id: - description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. + description: >- + An identifier for the connector. To retrieve connector IDs, use the find + connectors API. in: path name: connectorId required: true @@ -31607,16 +33092,18 @@ components: default: OR type: string Cases_from: - description: | - Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. + description: > + Returns only cases that were created after a specific date. The date + must be specified as a KQL data range or date match expression. in: query name: from schema: example: now-1d type: string Cases_ids: - description: | - The cases that you want to removed. All non-ASCII characters must be URL encoded. + description: > + The cases that you want to removed. All non-ASCII characters must be URL + encoded. example: d4e7abb0-b462-11ec-9a8d-698504725a43 in: query name: ids @@ -31629,7 +33116,9 @@ components: type: array Cases_includeComments: deprecated: true - description: Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned. + description: >- + Deprecated in 8.1.0. This parameter is deprecated and will be removed in + a future release. It determines whether case comments are returned. in: query name: includeComments schema: @@ -31643,8 +33132,10 @@ components: schema: type: string Cases_owner_filter: - description: | - A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. + description: > + A filter to limit the response to a specific set of applications. If + this parameter is omitted, the response contains information about all + the cases that the user has access to read. example: cases in: query name: owner @@ -31679,7 +33170,9 @@ components: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_search: - description: An Elasticsearch simple_query_string query that filters the objects in the response. + description: >- + An Elasticsearch simple_query_string query that filters the objects in + the response. in: query name: search schema: @@ -31751,8 +33244,9 @@ components: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_to: - description: | - Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. + description: > + Returns only cases that were created before a specific date. The date + must be specified as a KQL data range or date match expression. example: now+1d in: query name: to @@ -31807,7 +33301,9 @@ components: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string Machine_learning_APIs_simulateParam: - description: When true, simulates the synchronization by returning only the list of actions that would be performed. + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. example: 'true' in: query name: simulate @@ -31829,7 +33325,9 @@ components: schema: type: string Saved_objects_saved_object_type: - description: Valid options include `visualization`, `dashboard`, `search`, `index-pattern`, `config`. + description: >- + Valid options include `visualization`, `dashboard`, `search`, + `index-pattern`, `config`. in: path name: type required: true @@ -31858,7 +33356,9 @@ components: example: 9c235211-6834-11ea-a78c-6feb38a34414 type: string SLOs_space_id: - description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. in: path name: spaceId required: true @@ -31976,11 +33476,15 @@ components: description: Indicates whether it is a dynamic field mapping. type: boolean format: - description: | - Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. + description: > + Indicates the format of the field. For example, if the `type` is + `date_range`, the `format` can be + `epoch_millis||strict_date_optional_time`. type: string ignore_above: - description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. + description: >- + Specifies the maximum length of a string field. Longer strings are + not indexed or stored. type: integer index: description: Indicates whether field values are indexed. @@ -31995,15 +33499,18 @@ components: type: description: The data type for each object property. type: string - description: | - Details about the object properties. This property is applicable when `type` is `object`. + description: > + Details about the object properties. This property is applicable + when `type` is `object`. type: object required: description: Indicates whether the field is required. type: boolean scaling_factor: - description: | - The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. + description: > + The scaling factor to use when encoding values. This property is + applicable when `type` is `scaled_float`. Values will be multiplied + by this factor at index time and rounded to the closest long value. type: integer type: description: Specifies the data type for the field. @@ -32326,8 +33833,10 @@ components: example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string mark_as_applied_by_agent: - description: | - `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". + description: > + `markAsAppliedByAgent=true` means "force setting it to true + regardless of etag". + This is needed for Jaeger agent that doesn't have etags type: boolean service: @@ -32442,7 +33951,9 @@ components: type: object properties: bundle_filepath: - description: The absolute path of the final bundle as used in the web application. + description: >- + The absolute path of the final bundle as used in the web + application. type: string service_name: description: The name of the service that the service map should apply to. @@ -32451,9 +33962,11 @@ components: description: The version of the service that the service map should apply to. type: string sourcemap: - description: | + description: > The source map. String or file upload. It must follow the - [source map revision 3 proposal](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k). + + [source map revision 3 + proposal](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k). format: binary type: string required: @@ -32532,7 +34045,9 @@ components: - type title: Add case comment request properties for alerts Cases_add_case_comment_request: - description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. + description: >- + The add comment to case API request body varies depending on whether you + are adding an alert or a comment. discriminator: mapping: alert: '#/components/schemas/Cases_add_alert_comment_request_properties' @@ -32543,7 +34058,9 @@ components: - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' title: Add case comment request Cases_add_case_file_request: - description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. + description: >- + Defines the file that will be attached to the case. Optional parameters + will be generated automatically from the file metadata if not defined. type: object properties: file: @@ -32551,7 +34068,10 @@ components: format: binary type: string filename: - description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** + description: >- + The desired name of the file being attached to the case, it can be + different than the name of the file in the filesystem. **This should + not include the file extension.** type: string required: - file @@ -32700,8 +34220,16 @@ components: required: - type Cases_alert_identifiers: - description: | - The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + description: > + The alert identifiers. It is required only when `type` is `alert`. You + can use an array of strings to add multiple alerts to a case, provided + that they all relate to the same rule; `index` must also be an array + with the same length or number of elements. Adding multiple alerts in + this manner is recommended rather than calling the API multiple times. + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 oneOf: - type: string @@ -32712,8 +34240,15 @@ components: title: Alert identifiers x-state: Technical preview Cases_alert_indices: - description: | - The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + description: > + The alert indices. It is required only when `type` is `alert`. If you + are adding multiple alerts to a case, use an array of strings; the + position of each index name in the array must match the position of the + corresponding alert identifier in the `alertId` array. This + functionality is in technical preview and may be changed or removed in a + future release. Elastic will work to fix any issues, but features in + technical preview are not subject to the support SLA of official GA + features. oneOf: - type: string - items: @@ -32740,7 +34275,9 @@ components: type: object properties: uid: - description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. + description: >- + A unique identifier for the user profile. These identifiers can be + found by using the suggest user profile API. example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 type: string required: @@ -32870,19 +34407,25 @@ components: type: object properties: key: - description: | - The unique identifier for the custom field. The key value must exist in the case configuration settings. + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. type: string type: - description: | - The custom field type. It must match the type specified in the case configuration settings. + description: > + The custom field type. It must match the type specified in the + case configuration settings. enum: - text - toggle type: string value: - description: | - The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 @@ -32894,8 +34437,11 @@ components: example: A case description. type: string duration: - description: | - The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. + description: > + The elapsed time from the creation of the case to its closure (in + seconds). If the case has not been closed, the duration is set to + null. If the case was closed after less than half a second, the + duration is rounded down to zero. example: 120 nullable: true type: integer @@ -33023,8 +34569,9 @@ components: - open type: string Cases_case_tags: - description: | - The words and phrases that help categorize cases. It can be an empty array. + description: > + The words and phrases that help categorize cases. It can be an empty + array. items: maxLength: 256 type: string @@ -33035,7 +34582,10 @@ components: maxLength: 160 type: string Cases_closure_types: - description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). + description: >- + Indicates whether a case is automatically closed when it is pushed to + external systems (`close-by-pushing`) or not automatically closed + (`close-by-user`). enum: - close-by-pushing - close-by-user @@ -33050,7 +34600,9 @@ components: nullable: true type: string id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. type: string name: description: The name of the connector. @@ -33072,7 +34624,9 @@ components: type: object properties: fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. type: object properties: issueType: @@ -33092,7 +34646,9 @@ components: - parent - priority id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. type: string name: description: The name of the connector. @@ -33114,20 +34670,30 @@ components: type: object properties: fields: - description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. + description: >- + An object containing the connector fields. To create a case without + a connector, specify null. To update a case to remove the connector, + specify null. example: null nullable: true type: string id: - description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. To update a case to remove the connector, + specify `none`. example: none type: string name: - description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + description: >- + The name of the connector. To create a case without a connector, use + `none`. To update a case to remove the connector, specify `none`. example: none type: string type: - description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. + description: >- + The type of connector. To create a case without a connector, use + `.none`. To update a case to remove the connector, specify `.none`. enum: - .none example: .none @@ -33143,7 +34709,9 @@ components: type: object properties: fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. nullable: true type: object properties: @@ -33181,7 +34749,9 @@ components: type: object properties: fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. type: object properties: category: @@ -33211,7 +34781,9 @@ components: - subcategory - urgency id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. type: string name: description: The name of the connector. @@ -33233,7 +34805,9 @@ components: type: object properties: fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. type: object properties: category: @@ -33241,15 +34815,21 @@ components: nullable: true type: string destIp: - description: Indicates whether cases will send a comma-separated list of destination IPs. + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs. nullable: true type: boolean malwareHash: - description: Indicates whether cases will send a comma-separated list of malware hashes. + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes. nullable: true type: boolean malwareUrl: - description: Indicates whether cases will send a comma-separated list of malware URLs. + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs. nullable: true type: boolean priority: @@ -33257,7 +34837,9 @@ components: nullable: true type: string sourceIp: - description: Indicates whether cases will send a comma-separated list of source IPs. + description: >- + Indicates whether cases will send a comma-separated list of + source IPs. nullable: true type: boolean subcategory: @@ -33273,7 +34855,9 @@ components: - sourceIp - subcategory id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. type: string name: description: The name of the connector. @@ -33295,7 +34879,9 @@ components: type: object properties: fields: - description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. type: object properties: caseId: @@ -33305,7 +34891,9 @@ components: required: - caseId id: - description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. type: string name: description: The name of the connector. @@ -33335,7 +34923,9 @@ components: example: .none type: string Cases_create_case_request: - description: The create case API request body varies depending on the type of connector. + description: >- + The create case API request body varies depending on the type of + connector. properties: assignees: $ref: '#/components/schemas/Cases_assignees' @@ -33351,25 +34941,32 @@ components: - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' customFields: - description: | - Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + description: > + Custom field values for a case. Any optional custom fields that are + not specified in the request are set to null. items: type: object properties: key: - description: | - The unique identifier for the custom field. The key value must exist in the case configuration settings. + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. type: string type: - description: | - The custom field type. It must match the type specified in the case configuration settings. + description: > + The custom field type. It must match the type specified in the + case configuration settings. enum: - text - toggle type: string value: - description: | - The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 @@ -33441,8 +35038,9 @@ components: nullable: true type: string Cases_owner: - description: | - The application that owns the cases: Stack Management, Observability, or Elastic Security. + description: > + The application that owns the cases: Stack Management, Observability, or + Elastic Security. enum: - cases - observability @@ -33502,7 +35100,10 @@ components: type: object properties: fields: - description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + description: >- + An object containing the connector fields. To create a case + without a connector, specify null. If you want to omit any + individual field, specify null as its value. example: null nullable: true type: object @@ -33511,14 +35112,20 @@ components: description: The case identifier for Swimlane connectors. type: string category: - description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. type: string destIp: - description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs for ServiceNow SecOps connectors. nullable: true type: boolean impact: - description: The effect an incident had on business for ServiceNow ITSM connectors. + description: >- + The effect an incident had on business for ServiceNow ITSM + connectors. type: string issueType: description: The type of issue for Jira connectors. @@ -33529,41 +35136,61 @@ components: type: string type: array malwareHash: - description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes for ServiceNow SecOps connectors. nullable: true type: boolean malwareUrl: - description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs for ServiceNow SecOps connectors. nullable: true type: boolean parent: - description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + description: >- + The key of the parent issue, when the issue type is sub-task + for Jira connectors. type: string priority: - description: The priority of the issue for Jira and ServiceNow SecOps connectors. + description: >- + The priority of the issue for Jira and ServiceNow SecOps + connectors. type: string severity: description: The severity of the incident for ServiceNow ITSM connectors. type: string severityCode: - description: The severity code of the incident for IBM Resilient connectors. + description: >- + The severity code of the incident for IBM Resilient + connectors. type: string sourceIp: - description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + description: >- + Indicates whether cases will send a comma-separated list of + source IPs for ServiceNow SecOps connectors. nullable: true type: boolean subcategory: - description: The subcategory of the incident for ServiceNow ITSM connectors. + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. type: string urgency: - description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + description: >- + The extent to which the incident resolution can be delayed + for ServiceNow ITSM connectors. type: string id: - description: The identifier for the connector. To create a case without a connector, use `none`. + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. example: none type: string name: - description: The name of the connector. To create a case without a connector, use `none`. + description: >- + The name of the connector. To create a case without a connector, + use `none`. example: none type: string type: @@ -33577,7 +35204,10 @@ components: type: object properties: fields: - description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + description: >- + An object containing the connector fields. To create a case + without a connector, specify null. If you want to omit any + individual field, specify null as its value. example: null nullable: true type: object @@ -33586,14 +35216,20 @@ components: description: The case identifier for Swimlane connectors. type: string category: - description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. type: string destIp: - description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs for ServiceNow SecOps connectors. nullable: true type: boolean impact: - description: The effect an incident had on business for ServiceNow ITSM connectors. + description: >- + The effect an incident had on business for ServiceNow ITSM + connectors. type: string issueType: description: The type of issue for Jira connectors. @@ -33604,41 +35240,61 @@ components: type: string type: array malwareHash: - description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes for ServiceNow SecOps connectors. nullable: true type: boolean malwareUrl: - description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs for ServiceNow SecOps connectors. nullable: true type: boolean parent: - description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + description: >- + The key of the parent issue, when the issue type is sub-task + for Jira connectors. type: string priority: - description: The priority of the issue for Jira and ServiceNow SecOps connectors. + description: >- + The priority of the issue for Jira and ServiceNow SecOps + connectors. type: string severity: description: The severity of the incident for ServiceNow ITSM connectors. type: string severityCode: - description: The severity code of the incident for IBM Resilient connectors. + description: >- + The severity code of the incident for IBM Resilient + connectors. type: string sourceIp: - description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + description: >- + Indicates whether cases will send a comma-separated list of + source IPs for ServiceNow SecOps connectors. nullable: true type: boolean subcategory: - description: The subcategory of the incident for ServiceNow ITSM connectors. + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. type: string urgency: - description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + description: >- + The extent to which the incident resolution can be delayed + for ServiceNow ITSM connectors. type: string id: - description: The identifier for the connector. To create a case without a connector, use `none`. + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. example: none type: string name: - description: The name of the connector. To create a case without a connector, use `none`. + description: >- + The name of the connector. To create a case without a connector, + use `none`. example: none type: string type: @@ -33662,7 +35318,9 @@ components: title: type: string Cases_payload_delete: - description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. + description: >- + If the `action` is `delete` and the `type` is `delete_case`, the payload + is nullable. nullable: true type: object Cases_payload_description: @@ -33719,8 +35377,12 @@ components: - user type: string Cases_rule: - description: | - The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + description: > + The rule that is associated with the alerts. It is required only when + `type` is `alert`. This functionality is in technical preview and may be + changed or removed in a future release. Elastic will work to fix any + issues, but features in technical preview are not subject to the support + SLA of official GA features. title: Alerting rule type: object properties: @@ -33744,7 +35406,9 @@ components: $ref: '#/components/schemas/Cases_searchFieldsType' type: array Cases_set_case_configuration_request: - description: External connection details, such as the closure type and default connector for cases. + description: >- + External connection details, such as the closure type and default + connector for cases. properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' @@ -33753,15 +35417,24 @@ components: type: object properties: fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + description: >- + The fields specified in the case configuration are not used and + are not propagated to individual cases, therefore it is + recommended to set it to `null`. nullable: true type: object id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. If you do not want a default + connector, use `none`. To retrieve connector IDs, use the find + connectors API. example: none type: string name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use the find + connectors API. example: none type: string type: @@ -33777,14 +35450,18 @@ components: type: object properties: defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + description: > + A default value for the custom field. If the `type` is `text`, + the default value must be a string. If the `type` is `toggle`, + the default value must be boolean. oneOf: - type: string - type: boolean key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + description: > + A unique key for the custom field. Must be lower case and + composed only of a-z, 0-9, '_', and '-' characters. It is used + in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string @@ -33800,8 +35477,10 @@ components: - toggle type: string required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + description: > + Indicates whether the field is required. If `false`, the + custom field can be set to null or omitted when a case is + created or updated. type: boolean required: - key @@ -33839,8 +35518,9 @@ components: maxItems: 100 type: array Cases_template_tags: - description: | - The words and phrases that help categorize templates. It can be an empty array. + description: > + The words and phrases that help categorize templates. It can be an empty + array. items: maxLength: 256 type: string @@ -33861,15 +35541,24 @@ components: type: object properties: fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, therefore + it is recommended to set it to `null`. nullable: true type: object id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector IDs, + use the find connectors API. example: none type: string name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use + the find connectors API. example: none type: string type: @@ -33889,8 +35578,11 @@ components: - toggle type: string value: - description: | - The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + description: > + The default value for the custom field when a case uses + the template. If the `type` is `text`, the default value + must be a string. If the `type` is `toggle`, the default + value must be boolean. oneOf: - type: string - type: boolean @@ -33910,8 +35602,10 @@ components: description: A description for the template. type: string key: - description: | - A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. + description: > + A unique key for the template. Must be lower case and composed + only of a-z, 0-9, '_', and '-' characters. It is used in API calls + to refer to a specific template. type: string name: description: The name of the template. @@ -33927,8 +35621,9 @@ components: alertId: $ref: '#/components/schemas/Cases_alert_identifiers' id: - description: | - The identifier for the comment. To retrieve comment IDs, use the get comments API. + description: > + The identifier for the comment. To retrieve comment IDs, use the get + comments API. example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string index: @@ -33944,8 +35639,9 @@ components: example: alert type: string version: - description: | - The current comment version. To retrieve version values, use the get comments API. + description: > + The current comment version. To retrieve version values, use the get + comments API. example: Wzk1LDFd type: string required: @@ -33958,7 +35654,9 @@ components: - version title: Update case comment request properties for alerts Cases_update_case_comment_request: - description: The update case comment API request body varies depending on whether you are updating an alert or a comment. + description: >- + The update case comment API request body varies depending on whether you + are updating an alert or a comment. discriminator: mapping: alert: '#/components/schemas/Cases_update_alert_comment_request_properties' @@ -33969,8 +35667,9 @@ components: - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' title: Update case comment request Cases_update_case_configuration_request: - description: | - You can update settings such as the closure type, custom fields, templates, and the default connector for cases. + description: > + You can update settings such as the closure type, custom fields, + templates, and the default connector for cases. properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' @@ -33979,15 +35678,24 @@ components: type: object properties: fields: - description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + description: >- + The fields specified in the case configuration are not used and + are not propagated to individual cases, therefore it is + recommended to set it to `null`. nullable: true type: object id: - description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + description: >- + The identifier for the connector. If you do not want a default + connector, use `none`. To retrieve connector IDs, use the find + connectors API. example: none type: string name: - description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use the find + connectors API. example: none type: string type: @@ -34003,14 +35711,18 @@ components: type: object properties: defaultValue: - description: | - A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + description: > + A default value for the custom field. If the `type` is `text`, + the default value must be a string. If the `type` is `toggle`, + the default value must be boolean. oneOf: - type: string - type: boolean key: - description: | - A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + description: > + A unique key for the custom field. Must be lower case and + composed only of a-z, 0-9, '_', and '-' characters. It is used + in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string @@ -34026,8 +35738,10 @@ components: - toggle type: string required: - description: | - Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + description: > + Indicates whether the field is required. If `false`, the + custom field can be set to null or omitted when a case is + created or updated. type: boolean required: - key @@ -34038,8 +35752,9 @@ components: templates: $ref: '#/components/schemas/Cases_templates' version: - description: | - The version of the connector. To retrieve the version value, use the get configuration API. + description: > + The version of the connector. To retrieve the version value, use the + get configuration API. example: WzIwMiwxXQ== type: string required: @@ -34047,7 +35762,9 @@ components: title: Update case configuration request type: object Cases_update_case_request: - description: The update case API request body varies depending on the type of connector. + description: >- + The update case API request body varies depending on the type of + connector. properties: cases: description: An array containing one or more case objects. @@ -34061,32 +35778,42 @@ components: connector: oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: >- + #/components/schemas/Cases_connector_properties_cases_webhook - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: >- + #/components/schemas/Cases_connector_properties_servicenow_sir - $ref: '#/components/schemas/Cases_connector_properties_swimlane' customFields: - description: | - Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + description: > + Custom field values for a case. Any optional custom fields + that are not specified in the request are set to null. items: type: object properties: key: - description: | - The unique identifier for the custom field. The key value must exist in the case configuration settings. + description: > + The unique identifier for the custom field. The key + value must exist in the case configuration settings. type: string type: - description: | - The custom field type. It must match the type specified in the case configuration settings. + description: > + The custom field type. It must match the type specified + in the case configuration settings. enum: - text - toggle type: string value: - description: | - The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + description: > + The custom field value. If the custom field is required, + it cannot be explicitly set to null. However, for cases + that existed when the required custom field was added, + the default value stored in Elasticsearch is + `undefined`. The value returned in the API and user + interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 @@ -34117,7 +35844,9 @@ components: title: $ref: '#/components/schemas/Cases_case_title' version: - description: The current version of the case. To determine this value, use the get case or find cases APIs. + description: >- + The current version of the case. To determine this value, use + the get case or find cases APIs. type: string required: - id @@ -34138,8 +35867,9 @@ components: maxLength: 30000 type: string id: - description: | - The identifier for the comment. To retrieve comment IDs, use the get comments API. + description: > + The identifier for the comment. To retrieve comment IDs, use the get + comments API. example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string owner: @@ -34151,8 +35881,9 @@ components: example: user type: string version: - description: | - The current comment version. To retrieve version values, use the get comments API. + description: > + The current comment version. To retrieve version values, use the get + comments API. example: Wzk1LDFd type: string required: @@ -34384,7 +36115,9 @@ components: example: Not Found type: string message: - example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found type: string statusCode: enum: @@ -34439,7 +36172,9 @@ components: - title override: default: false - description: Override an existing data view if a data view with the provided title already exists. + description: >- + Override an existing data view if a data view with the provided + title already exists. type: boolean required: - data_view @@ -34501,7 +36236,9 @@ components: description: A map of field formats by field name. type: object Data_views_namespaces: - description: An array of space identifiers for sharing the data view between multiple spaces. + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. items: default: default type: string @@ -34553,8 +36290,9 @@ components: description: The saved object reference to change. type: string fromType: - description: | - Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. type: string toId: description: New saved object reference value to replace the old value. @@ -34566,13 +36304,17 @@ components: description: The timestamp field name, which you use for time-based data views. type: string Data_views_title: - description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). + description: >- + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). type: string Data_views_type: description: When set to `rollup`, identifies the rollup data views. type: string Data_views_typemeta: - description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. type: object properties: aggs: @@ -34585,7 +36327,9 @@ components: - aggs - params Data_views_typemeta_response: - description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. nullable: true type: object properties: @@ -34600,8 +36344,10 @@ components: type: object properties: data_view: - description: | - The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. type: object properties: allowNoIndex: @@ -34661,7 +36407,10 @@ components: - status Kibana_HTTP_APIs_core_status_response: additionalProperties: false - description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. + description: >- + Kibana's operational status as well as a detailed breakdown of plugin + statuses indication of various loads (like event loop utilization and + network traffic) at time of request. type: object properties: metrics: @@ -34720,7 +36469,9 @@ components: description: A URL to further documentation regarding this service. type: string level: - description: Service status levels as human and machine readable values. + description: >- + Service status levels as human and machine readable + values. enum: - available - degraded @@ -34729,7 +36480,9 @@ components: type: string meta: additionalProperties: {} - description: An unstructured set of extra metadata about this service. + description: >- + An unstructured set of extra metadata about this + service. type: object summary: description: A human readable summary of the service status. @@ -34749,7 +36502,9 @@ components: description: A URL to further documentation regarding this service. type: string level: - description: Service status levels as human and machine readable values. + description: >- + Service status levels as human and machine readable + values. enum: - available - degraded @@ -34758,7 +36513,9 @@ components: type: string meta: additionalProperties: {} - description: An unstructured set of extra metadata about this service. + description: >- + An unstructured set of extra metadata about this + service. type: object summary: description: A human readable summary of the service status. @@ -34811,7 +36568,9 @@ components: description: A URL to further documentation regarding this service. type: string level: - description: Service status levels as human and machine readable values. + description: >- + Service status levels as human and machine readable + values. enum: - available - degraded @@ -34836,7 +36595,9 @@ components: - core - plugins uuid: - description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. + description: >- + Unique, generated Kibana instance UUID. This UUID should persist + even if the Kibana process restarts. type: string version: additionalProperties: false @@ -34846,16 +36607,24 @@ components: description: The date and time of this build. type: string build_flavor: - description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. + description: >- + The build flavour determines configuration and behavior of + Kibana. On premise users will almost always run the + "traditional" flavour, while other flavours are reserved for + Elastic-specific use cases. enum: - serverless - traditional type: string build_hash: - description: A unique hash value representing the git commit of this Kibana build. + description: >- + A unique hash value representing the git commit of this Kibana + build. type: string build_number: - description: A monotonically increasing number, each subsequent build will have a higher number. + description: >- + A monotonically increasing number, each subsequent build will + have a higher number. type: number build_snapshot: description: Whether this build is a snapshot build. @@ -34881,17 +36650,25 @@ components: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. type: object savedObjectsCreated: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated savedObjectsDeleted: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: @@ -34907,63 +36684,97 @@ components: title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: - description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. properties: anomaly-detector: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' - description: If saved objects are missing for anomaly detection jobs, they are created. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. type: object data-frame-analytics: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' - description: If saved objects are missing for data frame analytics jobs, they are created. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. type: object trained-model: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. properties: anomaly-detector: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' - description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. type: object data-frame-analytics: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' - description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. type: object trained-model: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' - description: If there are saved objects exist for nonexistent trained models, they are deleted. + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. type: object title: Sync API response for deleted saved objects type: object @@ -34971,7 +36782,11 @@ components: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: - description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' @@ -34996,16 +36811,32 @@ components: - message - statusCode Saved_objects_attributes: - description: | - The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. + description: > + The data that you want to create. WARNING: When you create saved + objects, attributes are not validated, which allows you to pass + arbitrary and ill-formed data into the API that can break Kibana. Make + sure any data that you send to the API is properly formed. type: object Saved_objects_initial_namespaces: - description: | - Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with `namespaceType: 'multiple'`), this option can be used to specify one or more spaces, including the "All spaces" identifier ('*'). For isolated object types (registered with `namespaceType: 'single'` or `namespaceType: 'multiple-isolated'`), this option can only be used to specify a single space, and the "All spaces" identifier ('*') is not allowed. For global object types (`registered with `namespaceType: agnostic`), this option cannot be used. + description: > + Identifiers for the spaces in which this object is created. If this is + provided, the object is created only in the explicitly defined spaces. + If this is not provided, the object is created in the current space + (default behavior). For shareable object types (registered with + `namespaceType: 'multiple'`), this option can be used to specify one or + more spaces, including the "All spaces" identifier ('*'). For isolated + object types (registered with `namespaceType: 'single'` or + `namespaceType: 'multiple-isolated'`), this option can only be used to + specify a single space, and the "All spaces" identifier ('*') is not + allowed. For global object types (`registered with `namespaceType: + agnostic`), this option cannot be used. type: array Saved_objects_references: - description: | - Objects with `name`, `id`, and `type` properties that describe the other saved objects that this object references. Use `name` in attributes to refer to the other saved object, but never the `id`, which can update automatically during migrations or import and export. + description: > + Objects with `name`, `id`, and `type` properties that describe the other + saved objects that this object references. Use `name` in attributes to + refer to the other saved object, but never the `id`, which can update + automatically during migrations or import and export. type: array Security_AI_Assistant_API_AnonymizationFieldCreateProps: type: object @@ -35098,7 +36929,8 @@ components: example: user.name type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason description: Reason why the anonymization field was not modified. required: - id @@ -35116,12 +36948,15 @@ components: errors: description: List of errors that occurred during the bulk operation. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary required: - results - summary @@ -35145,7 +36980,8 @@ components: created: description: List of anonymization fields successfully created. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse type: array deleted: items: @@ -35156,12 +36992,14 @@ components: skipped: description: List of anonymization fields that were skipped during the operation. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult type: array updated: description: List of anonymization fields successfully updated. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse type: array required: - updated @@ -35328,7 +37166,9 @@ components: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: - description: List of field names within the data object that should be anonymized. + description: >- + List of field names within the data object that should be + anonymized. example: - user.name - source.ip @@ -35351,11 +37191,16 @@ components: Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' - - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_EsqlContentReference additionalProperties: false description: A union of all content reference types type: object @@ -35461,12 +37306,17 @@ components: type: object properties: confidence: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationConfidence' - description: How confident you are about this being a correct and useful learning. + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationConfidence + description: >- + How confident you are about this being a correct and useful + learning. example: high content: description: Summary text of the conversation over time. - example: This conversation covered how to configure the Security AI Assistant. + example: >- + This conversation covered how to configure the Security AI + Assistant. type: string public: description: Define if summary is marked as publicly available. @@ -35530,7 +37380,9 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -35540,7 +37392,8 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object @@ -35558,14 +37411,18 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: @@ -35601,8 +37458,10 @@ components: - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object @@ -35622,13 +37481,16 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' @@ -35674,7 +37536,9 @@ components: - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: - description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. + description: >- + The field by which to sort the conversations. Possible values are + `created_at`, `title`, and `updated_at`. enum: - created_at - title @@ -35716,7 +37580,9 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -35726,7 +37592,8 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object @@ -35744,21 +37611,27 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: - description: Fields to extract from the query result, defaults to all fields if not provided or empty. + description: >- + Fields to extract from the query result, defaults to all fields if + not provided or empty. example: - title - author @@ -35769,7 +37642,9 @@ components: type: object properties: description: - description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. + description: >- + Description for when this index or data stream should be queried for + Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: @@ -35781,7 +37656,9 @@ components: example: knowledge_base_index type: string queryDescription: - description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. + description: >- + Description of query field used to fetch Knowledge Base content. + Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: @@ -35798,8 +37675,10 @@ components: - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object @@ -35819,15 +37698,20 @@ components: example: default type: string users: - description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + description: >- + Users who have access to the Knowledge Base Entry, defaults to + current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields Security_AI_Assistant_API_InputSchema: - description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. + description: >- + Array of objects defining the input schema, allowing the LLM to extract + structured data to be used in retrieval. items: type: object properties: @@ -35865,7 +37749,8 @@ components: example: Skipped Entry type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason required: - id - skip_reason @@ -35885,12 +37770,15 @@ components: message: Failed to update entry. statusCode: 400 items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary required: - results - summary @@ -35922,23 +37810,29 @@ components: id: '456' title: New Entry items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse type: array deleted: - description: List of IDs of Knowledge Base Entries that were successfully deleted. + description: >- + List of IDs of Knowledge Base Entries that were successfully + deleted. example: - '789' items: type: string type: array skipped: - description: List of Knowledge Base Entries that were skipped during the bulk action. + description: >- + List of Knowledge Base Entries that were skipped during the bulk + action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult type: array updated: description: List of Knowledge Base Entries that were successfully updated. @@ -35947,7 +37841,8 @@ components: id: '123' title: Updated Entry items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse type: array required: - updated @@ -35962,11 +37857,15 @@ components: example: 2 type: integer skipped: - description: Number of Knowledge Base Entries that were skipped during the bulk action. + description: >- + Number of Knowledge Base Entries that were skipped during the bulk + action. example: 1 type: integer succeeded: - description: Number of Knowledge Base Entries that were successfully processed during the bulk action. + description: >- + Number of Knowledge Base Entries that were successfully processed + during the bulk action. example: 5 type: integer total: @@ -36003,8 +37902,10 @@ components: description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: @@ -36048,18 +37949,24 @@ components: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: >- + #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseResource: - description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. + description: >- + Knowledge Base resource name for grouping entries, e.g. 'security_labs', + 'user', etc. enum: - security_labs - user @@ -36135,7 +38042,9 @@ components: minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: - description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + description: >- + A string that represents a timestamp in ISO 8601 format and does not + contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -36146,7 +38055,8 @@ components: anonymization_fields: description: Array of anonymization fields that caused the error. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError type: array err_code: description: Error code indicating the type of failure. @@ -36174,7 +38084,8 @@ components: knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError type: array message: description: Error message describing the issue. @@ -36200,7 +38111,8 @@ components: prompts: description: List of prompts that encountered errors. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError type: array status_code: description: The HTTP status code associated with the error. @@ -36359,7 +38271,8 @@ components: description: The name of the prompt that was skipped. type: string skip_reason: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason description: The reason for skipping the prompt. required: - id @@ -36372,12 +38285,15 @@ components: properties: errors: items: - $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError type: array results: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary required: - results - summary @@ -36415,7 +38331,8 @@ components: skipped: description: List of prompts that were skipped. items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult type: array updated: description: List of prompts that were updated. @@ -36576,7 +38493,9 @@ components: example: John Doe type: string Security_AI_Assistant_API_Vector: - description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. + description: >- + Object containing Knowledge Base Entry text embeddings and modelId used + to create the embeddings. type: object properties: modelId: @@ -36670,7 +38589,8 @@ components: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsSortCombinations type: array Security_Detections_API_AlertsSortCombinations: anyOf: @@ -36689,18 +38609,21 @@ components: type: object properties: duration: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit value: minimum: 1 type: integer @@ -36721,9 +38644,12 @@ components: minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: |- - Describes how alerts will be generated for documents with missing suppress by fields: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + doNotSuppress - per each document a separate alert will be created + suppress - only alert will be created per suppress by bucket enum: - doNotSuppress @@ -36746,30 +38672,50 @@ components: - version - count Security_Detections_API_AnomalyThreshold: - description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. + description: >- + Anomaly score threshold above which the rule creates an alert. Valid + values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: - description: | - Determines if the rule acts as a building block. If yes, the value must be `default`. - By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. - For more information, refer to [About building block rules](https://www.elastic.co/guide/en/security/current/building-block-rule.html). + description: > + Determines if the rule acts as a building block. If yes, the value must + be `default`. + + By default, building-block alerts are not displayed in the UI. These + rules are used as a foundation for other rules that do generate alerts. + + For more information, refer to [About building block + rules](https://www.elastic.co/guide/en/security/current/building-block-rule.html). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' - - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: | + description: > Edits index patterns of rulesClient. - - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. - - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. - - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + + - `add_index_patterns` adds index patterns to rules. If an index pattern + already exists for a rule, no changes are made. + + - `delete_index_patterns` removes index patterns from rules. If an index + pattern does not exist for a rule, no changes are made. + + - `set_index_patterns` sets index patterns for rules, overwriting any + existing index patterns. If the set of index patterns is the same as the + existing index patterns, no changes are made. type: object properties: overwrite_data_views: @@ -36787,12 +38733,20 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: | + description: > Edits investigation fields of rules. - - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. - - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. - - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + + - `add_investigation_fields` adds investigation fields to rules. If an + investigation field already exists for a rule, no changes are made. + + - `delete_investigation_fields` removes investigation fields from rules. + If an investigation field does not exist for a rule, no changes are + made. + + - `set_investigation_fields` sets investigation fields for rules. If the + set of investigation fields is the same as the existing investigation + fields, no changes are made. type: object properties: type: @@ -36807,11 +38761,18 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: - description: | + description: > Edits rule actions of rules. - - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. - - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. + + - `add_rule_actions` adds rule actions to rules. This action is + non-idempotent, meaning that even if the same rule action already exists + for a rule, it will be added again with a new unique ID. + + - `set_rule_actions` sets rule actions for rules. This action is + non-idempotent, meaning that even if the same set of rule actions + already exists for a rule, it will be set again and the actions will + receive new unique IDs. type: object properties: type: @@ -36824,22 +38785,30 @@ components: properties: actions: items: - $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleAction type: array throttle: - $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' + $ref: >- + #/components/schemas/Security_Detections_API_ThrottleForBulkActions required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: - description: | + description: > Overwrites schedule of rules. - - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. - Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" + - `set_schedule` sets a schedule for rules. If the same schedule already + exists for a rule, no changes are made. + + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", + where accepted time units are `s` for seconds, `m` for minutes, and `h` + for hours. The integer must be positive and larger than 0. Examples: + "45s", "30m", "6h" type: object properties: type: @@ -36850,15 +38819,20 @@ components: type: object properties: interval: - description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: | + description: > Lookback time for the rules. - Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. + + Additional look-back time that the rule analyzes. For example, + "10m" means the rule analyzes the last 10 minutes of data in + addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -36869,12 +38843,18 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTags: - description: | + description: > Edits tags of rules. - - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. - - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. - - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no + changes are made. + + - `delete_tags` removes tags from rules. If a tag does not exist for a + rule, no changes are made. + + - `set_tags` sets tags for rules, overwriting any existing tags. If the + set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -36889,10 +38869,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: - description: | + description: > Edits timeline of rules. - - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. + + - `set_timeline` sets a timeline for rules. If the same timeline already + exists for a rule, no changes are made. type: object properties: type: @@ -36905,7 +38887,8 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle required: - timeline_id - timeline_title @@ -36948,7 +38931,9 @@ components: - delete type: string ids: - description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. + description: >- + Array of rule IDs. Array of rule IDs to which a bulk action will be + applied. Only valid when query property is undefined. items: type: string minItems: 1 @@ -36966,7 +38951,9 @@ components: - disable type: string ids: - description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. + description: >- + Array of rule IDs. Array of rule IDs to which a bulk action will be + applied. Only valid when query property is undefined. items: type: string minItems: 1 @@ -36997,7 +38984,9 @@ components: - include_exceptions - include_expired_exceptions ids: - description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. + description: >- + Array of rule IDs. Array of rule IDs to which a bulk action will be + applied. Only valid when query property is undefined. items: type: string minItems: 1 @@ -37015,12 +39004,15 @@ components: properties: errors: items: - $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleError type: array results: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResults summary: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionSummary required: - results - summary @@ -37059,7 +39051,13 @@ components: - deleted - skipped Security_Detections_API_BulkEditActionSummary: - description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. + description: >- + A rule can only be skipped when the bulk action to be performed on it + results in nothing being done. For example, if the `edit` action is used + to add a tag to a rule that already has that tag, or to delete an index + pattern that is not specified in a rule. Objects returned in + `attributes.results.skipped` will only include rules' `id`, `name`, and + `skip_reason`. type: object properties: failed: @@ -37089,7 +39087,9 @@ components: minItems: 1 type: array ids: - description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. + description: >- + Array of rule IDs. Array of rule IDs to which a bulk action will be + applied. Only valid when query property is undefined. items: type: string minItems: 1 @@ -37112,7 +39112,9 @@ components: - enable type: string ids: - description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. + description: >- + Array of rule IDs. Array of rule IDs to which a bulk action will be + applied. Only valid when query property is undefined. items: type: string minItems: 1 @@ -37132,7 +39134,9 @@ components: - export type: string ids: - description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. + description: >- + Array of rule IDs. Array of rule IDs to which a bulk action will be + applied. Only valid when query property is undefined. items: type: string minItems: 1 @@ -37150,7 +39154,9 @@ components: - run type: string ids: - description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. + description: >- + Array of rule IDs. Array of rule IDs to which a bulk action will be + applied. Only valid when query property is undefined. items: type: string minItems: 1 @@ -37202,7 +39208,9 @@ components: - items: type: string type: array - description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' + description: >- + Map Osquery results columns or static values to Elastic Common Schema + (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} type: object Security_Detections_API_EndpointResponseAction: type: object @@ -37261,14 +39269,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -37282,7 +39294,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -37298,24 +39311,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -37342,11 +39366,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -37385,14 +39411,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -37406,7 +39436,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -37422,24 +39453,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -37468,11 +39510,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -37503,14 +39547,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -37524,7 +39572,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -37542,24 +39591,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -37588,11 +39648,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -37607,14 +39669,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -37628,7 +39694,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -37646,24 +39713,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -37692,11 +39770,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -37743,14 +39823,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -37764,7 +39848,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -37780,24 +39865,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -37824,11 +39920,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -37867,14 +39965,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -37888,7 +39990,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -37904,24 +40007,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -37950,11 +40064,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -37975,14 +40091,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -37996,7 +40116,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -38016,11 +40137,13 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: @@ -38028,14 +40151,23 @@ components: references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -38064,11 +40196,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: @@ -38104,14 +40238,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -38125,7 +40263,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -38143,24 +40282,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -38189,11 +40339,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -38218,11 +40370,14 @@ components: - endpoint_blocklists type: string Security_Detections_API_ExternalRuleSource: - description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. + description: >- + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. type: object properties: is_customized: - $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' + $ref: >- + #/components/schemas/Security_Detections_API_IsExternalRuleCustomized type: enum: - external @@ -38248,7 +40403,12 @@ components: - updatedAt type: string Security_Detections_API_HistoryWindowStart: - description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. + description: >- + Start date to use when checking if a term has been seen before. Supports + relative dates – for example, now-30d will search the last 30 days of + data when checking if a term is new. We do not recommend using absolute + dates, which can cause issues with rule performance due to querying + increasing amounts of data over time. format: nonempty minLength: 1 type: string @@ -38276,15 +40436,21 @@ components: - migrations - is_outdated Security_Detections_API_IndexPatternArray: - description: | - Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). + description: > + Indices on which the rule functions. Defaults to the Security Solution + indices defined on the Kibana Advanced Settings page (Kibana → Stack + Management → Advanced Settings → `securitySolution:defaultIndex`). + > info + > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: - description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. + description: >- + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. type: object properties: type: @@ -38294,9 +40460,12 @@ components: required: - type Security_Detections_API_InvestigationFields: - description: | - Schema for fields relating to investigation fields. These are user defined fields we use to highlight - in various features in the UI such as alert details flyout and exceptions auto-population from alert. + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. type: object properties: field_names: @@ -38310,14 +40479,19 @@ components: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: - description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true - description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 @@ -38340,14 +40514,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -38361,7 +40539,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -38377,24 +40556,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -38421,11 +40611,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -38454,24 +40646,31 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields Security_Detections_API_MachineLearningRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -38485,7 +40684,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -38501,24 +40701,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -38547,11 +40758,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -38561,7 +40774,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: @@ -38574,26 +40788,32 @@ components: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningJobId type: description: Rule type enum: - machine_learning type: string - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -38607,7 +40827,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -38625,24 +40846,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -38671,16 +40903,19 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: @@ -38699,21 +40934,27 @@ components: - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -38727,7 +40968,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -38745,24 +40987,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -38791,11 +41044,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -38805,13 +41060,25 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields Security_Detections_API_MaxSignals: default: 100 - description: | - Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-advanced-params) value). + description: > + Maximum number of alerts the rule can create during a single run (the + rule’s Max alerts per run [advanced + setting](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-advanced-params) + value). + > info - > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. + + > This setting can be superseded by the [Kibana configuration + setting](https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings) + `xpack.alerting.rules.run.alerts.max`, which determines the maximum + alerts generated by any rule in the Kibana alerting framework. For + example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the + rule can generate no more than 1000 alerts even if `max_signals` is set + higher. minimum: 1 type: integer Security_Detections_API_MigrationCleanupResult: @@ -38924,14 +41191,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -38945,7 +41216,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -38961,24 +41233,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -39005,11 +41288,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -39038,25 +41323,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -39070,7 +41363,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -39086,24 +41380,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -39132,11 +41437,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -39146,7 +41453,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: @@ -39178,21 +41486,27 @@ components: enum: - new_terms type: string - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -39206,7 +41520,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -39224,24 +41539,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -39270,11 +41596,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -39301,8 +41629,10 @@ components: - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - type: object properties: language: @@ -39314,14 +41644,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -39335,7 +41669,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -39353,24 +41688,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -39399,11 +41745,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -39413,7 +41761,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty @@ -39440,7 +41789,8 @@ components: type: object properties: err_code: - $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' + $ref: >- + #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode message: type: string rules: @@ -39459,20 +41809,31 @@ components: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: - description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' + description: >- + To specify a query pack, use the packId field. Example: "packId": + "processes_elastic" type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: - description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' + description: >- + To run a single query, use the query field and enter a SQL query. + Example: "query": "SELECT * FROM processes;" type: string saved_query_id: - description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' + description: >- + To run a saved query, use the saved_query_id field and specify the + saved query ID. Example: "saved_query_id": "processes_elastic" type: string timeout: - description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' + description: >- + A timeout period, in seconds, after which the query will stop + running. Overwriting the default timeout allows you to support + queries that require more time to complete. The default and minimum + supported value is 60. The maximum supported value is 900. Example: + "timeout": 120. type: number Security_Detections_API_OsqueryQuery: type: object @@ -39526,13 +41887,18 @@ components: type: object properties: command: - description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' + description: >- + To run an endpoint response action, specify a value for the command + field. Example: "command": "isolate" enum: - kill-process - suspend-process type: string comment: - description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' + description: >- + Add a note that explains or describes the action. You can find your + comment in the response actions history log. Example: "comment": + "Check processes" type: string config: type: object @@ -39554,14 +41920,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -39575,7 +41945,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -39591,24 +41962,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -39635,11 +42017,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -39673,20 +42057,25 @@ components: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -39700,7 +42089,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -39716,24 +42106,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -39762,11 +42163,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -39807,20 +42210,25 @@ components: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -39834,7 +42242,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -39852,24 +42261,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -39898,11 +42318,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -39936,14 +42358,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -39957,7 +42383,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -39975,24 +42402,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -40021,11 +42459,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -40037,23 +42477,45 @@ components: - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_RelatedIntegration: - description: | - Related integration is a potential dependency of a rule. It's assumed that if the user installs - one of the related integrations of a rule, the rule might start to work properly because it will - have source events (generated by this integration) potentially matching the rule's query. + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. + + + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + - NOTE: Proper work is not guaranteed, because a related integration, if installed, can be - configured differently or generate data that is not necessarily relevant for this rule. + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: - Related integration is a combination of a Fleet package and (optionally) one of the - package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) + - `version`: version of the package (required, semver-compatible) - - `integration`: name of the integration of this package (optional, id within the package) - There are Fleet packages like `windows` that contain only one integration; in this case, - `integration` should be unspecified. There are also packages like `aws` and `azure` that contain + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + several integrations; in this case, `integration` should be specified. example: integration: activitylogs @@ -40075,23 +42537,35 @@ components: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: - description: | - Describes an Elasticsearch field that is needed for the rule to function. + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and - Almost all types of Security rules check source event documents for a match to some kind of - query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. - Required field is an event field that must be present in the source indices of a given rule. + + Required field is an event field that must be present in the source + indices of a given rule. + @example + const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; + @example + const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', @@ -40100,7 +42574,10 @@ components: type: object properties: ecs: - description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. + description: >- + Indicates whether the field is ECS-compliant. This property is only + present in responses. Its value is computed based on field’s name + and type. type: boolean name: description: Name of an Elasticsearch field @@ -40121,7 +42598,10 @@ components: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: - description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. + description: >- + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. type: object properties: name: @@ -40191,7 +42671,9 @@ components: minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: - description: Overrides generated alerts' risk_score with a value from the source event + description: >- + Overrides generated alerts' risk_score with a value from the source + event items: type: object properties: @@ -40254,28 +42736,35 @@ components: - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true - description: | + description: > Object containing an action’s conditional filters. - - `timeframe` (object, optional): Object containing the time frame for when this action can be run. + + - `timeframe` (object, optional): Object containing the time frame for + when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. + - `query` (object, optional): Object containing a query filter which + gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: - description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: - description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' @@ -40285,7 +42774,9 @@ components: - notifyWhen - throttle Security_Detections_API_RuleActionGroup: - description: Optionally groups actions by use cases. Use `default` for alert notifications. + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. @@ -40299,8 +42790,10 @@ components: type: string Security_Detections_API_RuleActionParams: additionalProperties: true - description: | - Object containing the allowed connector fields, which varies according to the connector type. + description: > + Object containing the allowed connector fields, which varies according + to the connector type. + For Slack: @@ -40348,10 +42841,14 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: @@ -40371,8 +42868,11 @@ components: required: - id Security_Detections_API_RuleExceptionList: - description: | - Array of [exception containers](https://www.elastic.co/guide/en/security/current/exceptions-api-overview.html), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. + description: > + Array of [exception + containers](https://www.elastic.co/guide/en/security/current/exceptions-api-overview.html), + which define exceptions that prevent the rule from generating alerts + even when its other criteria are met. type: object properties: id: @@ -40406,7 +42906,10 @@ components: minimum: 0 type: integer frozen_indices_queried_count: - description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. + description: >- + Count of frozen indices queried during the rule execution. These + indices could not be entirely excluded after applying the time range + filter. minimum: 0 type: integer gap_range: @@ -40423,25 +42926,50 @@ components: - gte - lte total_enrichment_duration_ms: - description: Total time spent enriching documents during current rule execution cycle + description: >- + Total time spent enriching documents during current rule execution + cycle minimum: 0 type: integer total_indexing_duration_ms: - description: Total time spent indexing documents during current rule execution cycle + description: >- + Total time spent indexing documents during current rule execution + cycle minimum: 0 type: integer total_search_duration_ms: - description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: - description: |- - Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. - - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. - - running - Rule execution started but not reached any intermediate or final status. - - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. - - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. - - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. enum: - going to run - running @@ -40468,12 +42996,14 @@ components: message: type: string metrics: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionMetrics status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder required: - date - status @@ -40483,22 +43013,33 @@ components: required: - last_execution Security_Detections_API_RuleFalsePositiveArray: - description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. + description: >- + String array used to describe common reasons why the rule may issue + false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: - description: | - The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. + description: > + The query and filter context array used to define the conditions for + when alerts are created from events. Defaults to an empty array. + > info + > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: - description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: - description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: @@ -40508,10 +43049,13 @@ components: type: string Security_Detections_API_RuleMetadata: additionalProperties: true - description: | + description: > Placeholder for metadata about the rule. + > info - > This field is overwritten when you save changes to the rule’s settings. + + > This field is overwritten when you save changes to the rule’s + settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. @@ -40519,19 +43063,31 @@ components: minLength: 1 type: string Security_Detections_API_RuleNameOverride: - description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. + description: >- + Sets which field in the source event is used to populate the alert's + `signal.rule.name` value (in the UI, this value is displayed on the + Rules page in the Rule column). When unspecified, the rule’s `name` + value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. + description: >- + A dynamic unique identifier for the rule object. It is randomly + generated when a rule is created and cannot be changed after that. It is + always a UUID. It is unique within a given Kibana space. The same + prebuilt Elastic rule, when installed in two different Kibana spaces or + two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: @@ -40557,7 +43113,8 @@ components: type: array requests: items: - $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' @@ -40581,14 +43138,22 @@ components: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: - description: | - [Query](https://www.elastic.co/guide/en/kibana/8.17/search.html) used by the rule to create alerts. + description: > + [Query](https://www.elastic.co/guide/en/kibana/8.17/search.html) used by + the rule to create alerts. + + + - For indicator match rules, only the query’s results are used to + determine whether an alert is generated. - - For indicator match rules, only the query’s results are used to determine whether an alert is generated. - - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) rules for more information. + - ES|QL rules have additional query requirements. Refer to [Create + ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) + rules for more information. type: string Security_Detections_API_RuleReferenceArray: - description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. + description: >- + Array containing notes about or references to relevant information about + the rule. Defaults to an empty array. items: type: string type: array @@ -40605,26 +43170,47 @@ components: discriminator: propertyName: type Security_Detections_API_RuleRevision: - description: | + description: > The rule's revision number. - It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. + + It represents the version of rule's object in Kibana. It is set to `0` + when the rule is installed or created and then gets incremented on each + update. + > info - > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. + + > Not all updates to any rule fields will increment the revision. Only + those fields that are considered static `rule parameters` can trigger + revision increments. For example, an update to a rule's query or index + fields will increment the rule's revision by `1`. However, changes to + dynamic or technical fields like enabled or execution_summary will not + cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: - description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. + description: >- + A stable unique identifier for the rule object. It can be assigned + during rule creation. It can be any string, but often is a UUID. It + should be unique not only within a given Kibana space, but also across + spaces and Elastic environments. The same prebuilt Elastic rule, when + installed in two different Kibana spaces or two different Elastic + environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: - description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: - description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. items: type: string type: array @@ -40632,22 +43218,34 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: propertyName: type Security_Detections_API_RuleVersion: - description: | + description: > The rule's version number. - - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). + + - For prebuilt rules it represents the version of the rule's content in + the source [detection-rules](https://github.com/elastic/detection-rules) + repository (and the corresponding `security_detection_engine` Fleet + package that is used for distributing prebuilt rules). + - For custom rules it is set to `1` when the rule is created. + > info - > It is not incremented on each update. Compare this to the `revision` field. + + > It is not incremented on each update. Compare this to the `revision` + field. minimum: 1 type: integer Security_Detections_API_SavedObjectResolveAliasPurpose: @@ -40664,21 +43262,28 @@ components: - conflict type: string Security_Detections_API_SavedQueryId: - description: Kibana [saved search](https://www.elastic.co/guide/en/kibana/current/save-open-search.html) used by the rule to create alerts. + description: >- + Kibana [saved + search](https://www.elastic.co/guide/en/kibana/current/save-open-search.html) + used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -40692,7 +43297,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -40708,24 +43314,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -40752,11 +43369,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -40785,25 +43404,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -40817,7 +43444,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -40833,24 +43461,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -40879,11 +43518,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -40893,7 +43534,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: @@ -40923,21 +43565,27 @@ components: enum: - saved_query type: string - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -40951,7 +43599,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -40969,24 +43618,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -41015,16 +43675,19 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: @@ -41040,8 +43703,10 @@ components: - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - type: object properties: language: @@ -41053,14 +43718,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41074,7 +43743,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -41092,24 +43762,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -41138,11 +43819,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41152,7 +43835,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields Security_Detections_API_SetAlertsStatusByIds: type: object properties: @@ -41194,15 +43878,25 @@ components: - tags_to_add - tags_to_remove Security_Detections_API_SetupGuide: - description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. + description: >- + Populates the rule’s setup guide with instructions on rule prerequisites + such as required integrations, configuration steps, and anything else + needed for the rule to work correctly. type: string Security_Detections_API_Severity: - description: | - Severity level of alerts produced by the rule, which must be one of the following: - * `low`: Alerts that are of interest but generally not considered to be security incidents + description: > + Severity level of alerts produced by the rule, which must be one of the + following: + + * `low`: Alerts that are of interest but generally not considered to be + security incidents + * `medium`: Alerts that require investigation + * `high`: Alerts that require immediate investigation - * `critical`: Alerts that indicate it is highly likely a security incident has occurred + + * `critical`: Alerts that indicate it is highly likely a security + incident has occurred enum: - low - medium @@ -41254,9 +43948,11 @@ components: - desc type: string Security_Detections_API_Threat: - description: | + description: > > info - > Currently, only threats described using the MITRE ATT&CK™ framework are supported. + + > Currently, only threats described using the MITRE ATT&CK™ + framework are supported. type: object properties: framework: @@ -41278,7 +43974,9 @@ components: type: array Security_Detections_API_ThreatFilters: items: - description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values type: array Security_Detections_API_ThreatIndex: description: Elasticsearch indices used to check which field values generate alerts. @@ -41286,17 +43984,28 @@ components: type: string type: array Security_Detections_API_ThreatIndicatorPath: - description: Defines the path to the threat indicator in the indicator documents (optional) + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) type: string Security_Detections_API_ThreatMapping: - description: | - Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: + description: > + Array of entries objects that define mappings between the source event + fields and the values in the Elasticsearch threat index. Each entries + object must contain these fields: + - field: field from the event indices on which the rule runs + - type: must be mapping + - value: field from the Elasticsearch threat index - You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. + You can use Boolean and and or logic to define the conditions for when + matching fields and values generate alerts. Sibling entries objects are + evaluated using or logic, whereas multiple entries in a single entries + object use and logic. See Example of Threat Match rule which uses both + `and` and `or` logic. items: type: object properties: @@ -41326,14 +44035,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41347,7 +44060,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -41363,24 +44077,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -41407,11 +44132,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41440,25 +44167,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41472,7 +44207,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -41488,24 +44224,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -41534,11 +44281,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41548,7 +44297,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: @@ -41594,21 +44344,27 @@ components: enum: - threat_match type: string - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41622,7 +44378,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -41640,24 +44397,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -41686,16 +44454,19 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: @@ -41720,8 +44491,10 @@ components: - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - type: object properties: language: @@ -41733,14 +44506,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41754,7 +44531,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -41772,24 +44550,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -41818,11 +44607,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -41832,9 +44623,12 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields Security_Detections_API_ThreatQuery: - description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. + description: >- + Query used to determine which fields in the Elasticsearch index are used + for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object @@ -41909,7 +44703,8 @@ components: type: object properties: duration: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration required: - duration Security_Detections_API_ThresholdCardinality: @@ -41921,7 +44716,9 @@ components: description: The field on which to calculate and compare the cardinality. type: string value: - description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. + description: >- + The threshold value from which an alert is generated based on + unique number of values of cardinality.field. minimum: 0 type: integer required: @@ -41929,7 +44726,10 @@ components: - value type: array Security_Detections_API_ThresholdField: - description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. + description: >- + The field on which the threshold is applied. If you specify an empty + array ([]), alerts are generated when the query returns at least the + number of results specified in the value field. oneOf: - type: string - items: @@ -41940,14 +44740,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -41961,7 +44765,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -41977,24 +44782,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -42021,11 +44837,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -42054,25 +44872,33 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields Security_Detections_API_ThresholdRuleCreateFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42086,7 +44912,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -42102,24 +44929,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -42148,11 +44986,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -42162,7 +45002,8 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: @@ -42172,7 +45013,8 @@ components: type: object properties: alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' + $ref: >- + #/components/schemas/Security_Detections_API_ThresholdAlertSuppression data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: @@ -42194,21 +45036,27 @@ components: enum: - threshold type: string - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42222,7 +45070,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -42240,24 +45089,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -42286,16 +45146,19 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRulePatchFields Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: @@ -42314,8 +45177,10 @@ components: - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - type: object properties: language: @@ -42327,14 +45192,18 @@ components: - type: object properties: actions: - description: Array defining the automated actions (notifications) taken when alerts are generated. + description: >- + Array defining the automated actions (notifications) taken when + alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose alias_target_id: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -42348,7 +45217,8 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: @@ -42366,24 +45236,35 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray required_fields: - description: | - Elasticsearch fields and their types that need to be present for the rule to function. + description: > + Elasticsearch fields and their types that need to be present for + the rule to function. + > info - > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + + > The value of `required_fields` does not affect the rule’s + behavior, and specifying it incorrectly won’t cause the rule to + fail. Use `required_fields` as an informational property to + document the fields that the rule expects to be present in the + data. items: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array response_actions: items: @@ -42412,11 +45293,13 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -42426,17 +45309,26 @@ components: - description - risk_score - severity - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: - description: | + description: > Defines the maximum interval in which a rule’s actions are executed. + > info - > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. - > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. + + > The rule level `throttle` field is deprecated in Elastic Security 8.8 + and will remain active for at least the next 12 months. + + > In Elastic Security 8.8 and later, you can use the `frequency` field + to define frequencies for individual actions. Actions without + frequencies will acquire a converted version of the rule’s `throttle` + field. In the response, the converted `throttle` setting appears in the + individual actions' `frequency` field. enum: - rule - 1h @@ -42453,10 +45345,17 @@ components: description: Timeline template title type: string Security_Detections_API_TimestampField: - description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. + description: >- + Specifies the name of the event timestamp field used for sorting a + sequence of events. Not to be confused with `timestamp_override`, which + specifies the more general field used for querying events within a + range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: - description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. + description: >- + Sets the time field used to query indices. When unspecified, rules query + the `@timestamp` field. The source field must be an Elasticsearch date + data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field @@ -42498,34 +45397,44 @@ components: created_by: type: string description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId immutable: type: boolean list_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName namespace_type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags tie_breaker_id: type: string type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType updated_at: format: date-time type: string updated_by: type: string version: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion required: - id - list_id @@ -42553,39 +45462,51 @@ components: _version: type: string comments: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray created_at: format: date-time type: string created_by: type: string description: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription entries: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray expire_time: format: date-time type: string id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId item_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId list_id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId meta: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta name: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName namespace_type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType os_types: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray tags: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags tie_breaker_id: type: string type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType updated_at: format: date-time type: string @@ -42630,23 +45551,31 @@ components: - created_by Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object @@ -42654,7 +45583,8 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - exists @@ -42679,7 +45609,8 @@ components: - id - type operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - list @@ -42695,7 +45626,8 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - match @@ -42713,14 +45645,16 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - match_any type: string value: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString minItems: 1 type: array required: @@ -42734,7 +45668,8 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - wildcard @@ -42751,7 +45686,8 @@ components: properties: entries: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem minItems: 1 type: array field: @@ -42766,9 +45702,12 @@ components: - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded @@ -42785,7 +45724,8 @@ components: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: @@ -42808,7 +45748,8 @@ components: type: string Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType type: array Security_Endpoint_Exceptions_API_ExceptionListTags: items: @@ -42828,11 +45769,15 @@ components: minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: | - Determines whether the exception container is available in all Kibana spaces or just the space + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + in which it is created, where: + - `single`: Only available in the Kibana space in which it is created. + - `agnostic`: Available in all Kibana spaces. enum: - agnostic @@ -42932,9 +45877,11 @@ components: type: object properties: agent_id: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentId pending_actions: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema required: - agent_id - pending_actions @@ -43050,7 +45997,9 @@ components: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: - original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + original: >- + version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -43141,7 +46090,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -43152,9 +46102,11 @@ components: type: object properties: command: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Command timeout: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Timeout' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Timeout required: - command required: @@ -43294,7 +46246,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -43456,7 +46409,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -43482,7 +46436,9 @@ components: - type: object properties: process_name: - description: The name of the process to terminate. Valid for SentinelOne agent type only. + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. example: Elastic minLength: 1 type: string @@ -43532,7 +46488,9 @@ components: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: - original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + original: >- + version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 @@ -43591,7 +46549,9 @@ components: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 - kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' + kernel: >- + 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 + UTC 2021 name: Linux platform: ubuntu type: linux @@ -43614,7 +46574,9 @@ components: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: - original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' + original: >- + version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: + 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -43725,23 +46687,32 @@ components: - type: object properties: execute: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType get-file: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType isolate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType kill-process: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType running-processes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType scan: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType suspend-process: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType unisolate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType upload: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - additionalProperties: true type: object Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: @@ -43770,11 +46741,16 @@ components: type: object properties: parameters: - description: Exactly one of 'Raw', 'HostPath', or 'CloudFile' must be provided. CommandLine and Timeout are optional for all. + description: >- + Exactly one of 'Raw', 'HostPath', or 'CloudFile' must be provided. + CommandLine and Timeout are optional for all. oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters required: - parameters Security_Endpoint_Management_API_ScanRouteRequestBody: @@ -43790,7 +46766,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -43881,7 +46858,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -43996,7 +46974,8 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -44067,7 +47046,9 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: A list of action IDs that should include the complete output of the action. + description: >- + A list of action IDs that should include the complete output of the + action. example: - action-id-1 - action-id-2 @@ -44112,8 +47093,10 @@ components: type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts - type: object properties: '@timestamp': @@ -44141,7 +47124,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - asset host: @@ -44151,7 +47135,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality name: @@ -44165,7 +47150,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality name: @@ -44179,7 +47165,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality name: @@ -44245,11 +47232,13 @@ components: - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - type: object properties: criticality_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality_level Security_Entity_Analytics_API_EngineComponentResource: @@ -44288,7 +47277,8 @@ components: installed: type: boolean resource: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource required: - id - installed @@ -44395,17 +47385,23 @@ components: format: double type: number calculated_score_norm: - description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. + description: >- + The normalized numeric value of the given entity's risk score. + Useful for comparing with other entities. format: double maximum: 100 minimum: 0 type: number category_1_count: - description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). + description: >- + The number of risk input documents that contributed to the Category + 1 score (`category_1_score`). format: integer type: number category_1_score: - description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. + description: >- + The contribution of Category 1 to the overall risk score + (`calculated_score`). Category 1 contains Detection Engine Alerts. format: double type: number category_2_count: @@ -44415,20 +47411,27 @@ components: format: double type: number criticality_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel criticality_modifier: format: double type: number id_field: - description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. + description: >- + The identifier field defining this risk score. Coupled with + `id_value`, uniquely identifies the entity being scored. example: host.name type: string id_value: - description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. + description: >- + The identifier value defining this risk score. Coupled with + `id_field`, uniquely identifies the entity being scored. example: example.host type: string inputs: - description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. + description: >- + A list of the highest-risk documents contributing to this risk + score. Useful for investigative purposes. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array @@ -44463,7 +47466,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality entity: @@ -44512,7 +47516,8 @@ components: name: type: string risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord type: items: type: string @@ -44545,7 +47550,10 @@ components: - dsl - response Security_Entity_Analytics_API_Interval: - description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, + description: >- + Interval in which enrich policy runs. For example, `"1h"` means the rule + runs every hour. Must be less than or equal to half the duration of the + lookback period, example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -44612,7 +47620,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality entity: @@ -44637,7 +47646,8 @@ components: name: type: string risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord required: - name required: @@ -44673,7 +47683,8 @@ components: type: object properties: criticality: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel required: - criticality entity: @@ -44718,7 +47729,8 @@ components: name: type: string risk: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord roles: items: type: string @@ -44737,7 +47749,8 @@ components: - comment Security_Exceptions_API_CreateExceptionListItemCommentArray: items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment type: array Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object @@ -44748,23 +47761,28 @@ components: - comment Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: items: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment type: array Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: comments: - $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray default: [] description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray expire_time: format: date-time type: string item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -44773,7 +47791,8 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' @@ -44796,7 +47815,8 @@ components: created_by: type: string description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: @@ -44810,7 +47830,8 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: @@ -44851,23 +47872,27 @@ components: _version: type: string comments: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray created_at: format: date-time type: string created_by: type: string description: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription entries: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray expire_time: format: date-time type: string id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: @@ -44877,7 +47902,8 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: @@ -44934,12 +47960,18 @@ components: type: string Security_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard discriminator: propertyName: type Security_Exceptions_API_ExceptionListItemEntryArray: @@ -44952,7 +47984,8 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator type: enum: - exists @@ -44977,7 +48010,8 @@ components: - id - type operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator type: enum: - list @@ -44993,7 +48027,8 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator type: enum: - match @@ -45011,7 +48046,8 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator type: enum: - match_any @@ -45032,7 +48068,8 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator type: enum: - wildcard @@ -45049,7 +48086,8 @@ components: properties: entries: items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem minItems: 1 type: array field: @@ -45064,9 +48102,12 @@ components: - entries Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded @@ -45124,14 +48165,16 @@ components: id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' item_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - error Security_Exceptions_API_ExceptionListsImportBulkErrorArray: items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError type: array Security_Exceptions_API_ExceptionListTags: items: @@ -45151,11 +48194,15 @@ components: minimum: 1 type: integer Security_Exceptions_API_ExceptionNamespaceType: - description: | - Determines whether the exception container is available in all Kibana spaces or just the space + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + in which it is created, where: + - `single`: Only available in the Kibana space in which it is created. + - `agnostic`: Available in all Kibana spaces. enum: - agnostic @@ -45234,7 +48281,8 @@ components: - comment Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment type: array Security_Exceptions_API_UUID: description: A universally unique identifier @@ -45656,7 +48704,8 @@ components: type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined' + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: @@ -45684,7 +48733,9 @@ components: Security_Osquery_API_ECSMapping: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields + description: >- + Map osquery results columns or static values to Elastic Common Schema + (ECS) fields example: host.uptime: field: total_seconds @@ -45947,7 +48998,10 @@ components: nullable: true type: integer Security_Osquery_API_Platform: - description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. + description: >- + Restricts the query to a specified platform. The default is all + platforms. To specify multiple platforms, use commas. For example, + `linux,darwin`. example: linux,darwin type: string Security_Osquery_API_PlatformOrUndefined: @@ -45999,7 +49053,10 @@ components: Security_Osquery_API_Shards: additionalProperties: type: number - description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. + description: >- + An object with shard configuration for policies included in the pack. + For each policy, set the shard configuration to a percentage (1–100) of + target hosts. example: policy_id: 50 type: object @@ -46074,7 +49131,8 @@ components: type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined' + $ref: >- + #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: @@ -46097,7 +49155,9 @@ components: type: object properties: {} Security_Osquery_API_Version: - description: Uses the Osquery versions greater than or equal to the specified version string. + description: >- + Uses the Osquery versions greater than or equal to the specified version + string. example: 1.0.0 type: string Security_Osquery_API_VersionOrUndefined: @@ -46114,7 +49174,8 @@ components: type: string Security_Timeline_API_BareNote: allOf: - - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' + - $ref: >- + #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata - type: object properties: eventId: @@ -46128,14 +49189,17 @@ components: nullable: true type: string timelineId: - description: The `savedObjectId` of the Timeline that this note is associated with + description: >- + The `savedObjectId` of the Timeline that this note is associated + with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - timelineId Security_Timeline_API_BarePinnedEvent: allOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' + - $ref: >- + #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata - type: object properties: eventId: @@ -46143,7 +49207,9 @@ components: example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string timelineId: - description: The `savedObjectId` of the timeline that this pinned event is associated with + description: >- + The `savedObjectId` of the timeline that this pinned event is + associated with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: @@ -46385,7 +49451,9 @@ components: type: object properties: error: - description: The error containing the reason why the timeline could not be imported + description: >- + The error containing the reason why the timeline could not be + imported type: object properties: message: @@ -46491,7 +49559,8 @@ components: oneOf: - allOf: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventBaseResponseBody' + - $ref: >- + #/components/schemas/Security_Timeline_API_PinnedEventBaseResponseBody - nullable: true type: object Security_Timeline_API_PersistTimelineResponse: @@ -46540,7 +49609,9 @@ components: type: object properties: created: - description: The time the pinned event was created, using a 13-digit Epoch timestamp. + description: >- + The time the pinned event was created, using a 13-digit Epoch + timestamp. example: 1587468588922 nullable: true type: number @@ -46550,7 +49621,9 @@ components: nullable: true type: string updated: - description: The last time the pinned event was updated, using a 13-digit Epoch timestamp + description: >- + The last time the pinned event was updated, using a 13-digit Epoch + timestamp example: 1741344876825 nullable: true type: number @@ -46586,13 +49659,15 @@ components: type: object properties: alias_purpose: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' + $ref: >- + #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose alias_target_id: type: string outcome: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' timeline: - $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject required: - timeline - outcome @@ -46677,12 +49752,14 @@ components: example: - enabled: true excluded: false - id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + id: >- + id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b queryMatch: field: _id, operator: ':' - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + value: >- + d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, items: $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' nullable: true @@ -46752,7 +49829,9 @@ components: nullable: true type: string excludedRowRendererIds: - description: A list of row renderers that should not be used when in `Event renderers` mode + description: >- + A list of row renderers that should not be used when in `Event + renderers` mode items: $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' nullable: true @@ -46769,7 +49848,9 @@ components: nullable: true type: array indexNames: - description: A list of index names to use in the query (e.g. when the default data view has been modified) + description: >- + A list of index names to use in the query (e.g. when the default + data view has been modified) example: - .logs* items: @@ -46777,15 +49858,17 @@ components: nullable: true type: array kqlMode: - description: |- - Indicates whether the KQL bar filters the query results or searches for additional results, where: + description: >- + Indicates whether the KQL bar filters the query results or searches + for additional results, where: * `filter`: filters query results * `search`: displays additional search results example: search nullable: true type: string kqlQuery: - $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' + $ref: >- + #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult nullable: true savedQueryId: description: The ID of the saved query that might be used in the Query tab @@ -46804,12 +49887,16 @@ components: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true templateTimelineId: - description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. + description: >- + A unique ID (UUID) for Timeline templates. For Timelines, the value + is `null`. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: - description: Timeline template version number. For Timelines, the value is `null`. + description: >- + Timeline template version number. For Timelines, the value is + `null`. example: 12 nullable: true type: number @@ -46822,7 +49909,9 @@ components: nullable: true type: string updated: - description: The last time the Timeline was updated, using a 13-digit Epoch timestamp + description: >- + The last time the Timeline was updated, using a 13-digit Epoch + timestamp example: 1741344876825 nullable: true type: number @@ -46854,7 +49943,8 @@ components: kuery: expression: '_id : *' kind: kuery - serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' + serializedQuery: >- + {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} type: object properties: filterQuery: @@ -46907,7 +49997,8 @@ components: Security_Timeline_API_TimelineResponse: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' + - $ref: >- + #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - type: object properties: eventIdToNoteIds: @@ -46917,7 +50008,9 @@ components: nullable: true type: array noteIds: - description: A list of all the ids of notes that are associated to this Timeline. + description: >- + A list of all the ids of notes that are associated to this + Timeline. example: - 709f99c6-89b6-4953-9160-35945c8e174e items: @@ -46931,7 +50024,9 @@ components: nullable: true type: array pinnedEventIds: - description: A list of all the ids of pinned events that are associated to this Timeline. + description: >- + A list of all the ids of pinned events that are associated to + this Timeline. example: - 983f99c6-89b6-4953-9160-35945c8a194f items: @@ -46939,7 +50034,9 @@ components: nullable: true type: array pinnedEventsSaveObject: - description: A list of all the pinned events that are associated to this Timeline. + description: >- + A list of all the pinned events that are associated to this + Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true @@ -47019,8 +50116,10 @@ components: description: The version of Kibana when the short URL was created. type: string slug: - description: | - A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated. + description: > + A random human-readable slug is automatically generated if the + `humanReadableSlug` parameter is set to `true`. If it is set to + `false`, a random short string is generated. type: string SLOs_400_response: title: Bad request @@ -47116,8 +50215,9 @@ components: title: Budgeting method type: string SLOs_bulk_delete_request: - description: | - The bulk delete SLO request takes a list of SLOs Definition id to delete. + description: > + The bulk delete SLO request takes a list of SLOs Definition id to + delete. properties: list: description: An array of SLO Definition id @@ -47131,8 +50231,9 @@ components: title: Bulk delete SLO request type: object SLOs_bulk_delete_response: - description: | - The bulk delete SLO response returns a taskId that can be used to poll for its status + description: > + The bulk delete SLO response returns a taskId that can be used to poll + for its status properties: taskId: description: The taskId of the bulk delete operation @@ -47141,7 +50242,9 @@ components: title: Bulk delete SLO response type: object SLOs_bulk_delete_status_response: - description: Indicates if the bulk deletion is completed, with the detailed results of the operation. + description: >- + Indicates if the bulk deletion is completed, with the detailed results + of the operation. properties: error: description: The error message if the bulk deletion operation failed @@ -47152,12 +50255,16 @@ components: example: true type: boolean results: - description: The results of the bulk deletion operation, including the success status and any errors for each SLO + description: >- + The results of the bulk deletion operation, including the success + status and any errors for each SLO items: type: object properties: error: - description: The error message if the deletion operation failed for this SLO + description: >- + The error message if the deletion operation failed for this + SLO example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found type: string id: @@ -47172,8 +50279,11 @@ components: title: The status of the bulk deletion type: object SLOs_bulk_purge_rollup_request: - description: | - The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. + description: > + The bulk purge rollup data request takes a list of SLO ids and a purge + policy, then deletes the rollup data according to the purge policy. This + API can be used to remove the staled data of an instance SLO that no + longer get updated. properties: list: description: An array of slo ids @@ -47188,23 +50298,33 @@ components: - type: object properties: age: - description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. + description: >- + The duration to determine which documents to purge, + formatted as {duration}{unit}. This value should be greater + than or equal to the time window of every SLO provided. example: 7d type: string purgeType: - description: Specifies whether documents will be purged based on a specific age or on a timestamp + description: >- + Specifies whether documents will be purged based on a + specific age or on a timestamp enum: - fixed-age type: string - type: object properties: purgeType: - description: Specifies whether documents will be purged based on a specific age or on a timestamp + description: >- + Specifies whether documents will be purged based on a + specific age or on a timestamp enum: - fixed-time type: string timestamp: - description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. + description: >- + The timestamp to determine which documents to purge, + formatted in ISO. This value should be older than the + applicable time window of every SLO provided. example: '2024-12-31T00:00:00.000Z' type: string type: object @@ -47214,8 +50334,9 @@ components: title: Bulk Purge Rollup data request type: object SLOs_bulk_purge_rollup_response: - description: | - The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. + description: > + The bulk purge rollup data response returns a task id from the + elasticsearch deleteByQuery response. properties: taskId: description: The task id of the purge operation @@ -47224,8 +50345,9 @@ components: title: Bulk Purge Rollup data response type: object SLOs_create_slo_request: - description: | - The create SLO API request body varies depending on the type of indicator, time window and budgeting method. + description: > + The create SLO API request body varies depending on the type of + indicator, time window and budgeting method. properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' @@ -47235,7 +50357,9 @@ components: groupBy: $ref: '#/components/schemas/SLOs_group_by' id: - description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars + description: >- + A optional and unique identifier for the SLO. Must be between 8 and + 36 chars example: my-super-slo-id type: string indicator: @@ -47279,8 +50403,10 @@ components: required: - id SLOs_delete_slo_instances_request: - description: | - The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. + description: > + The delete SLO instances request takes a list of SLO id and instance id, + then delete the rollup and summary data. This API can be used to remove + the staled data of an instance SLO that no longer get updated. properties: list: description: An array of slo id and instance id @@ -47316,7 +50442,9 @@ components: example: 0.02 type: number isEstimated: - description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. + description: >- + Only for SLO defined with occurrences budgeting method and calendar + aligned time window. example: true type: boolean remaining: @@ -47442,7 +50570,9 @@ components: title: Find SLO response type: object SLOs_group_by: - description: optional group by field or fields to use to generate an SLO per distinct value + description: >- + optional group by field or fields to use to generate an SLO per distinct + value example: - - service.name - service.name @@ -47563,7 +50693,11 @@ components: type: object properties: dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: @@ -47604,7 +50738,11 @@ components: type: object properties: dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: @@ -47621,12 +50759,16 @@ components: example: A type: string metrics: - description: List of metrics with their name, aggregation type, and field. + description: >- + List of metrics with their name, aggregation type, and + field. items: type: object properties: aggregation: - description: The aggregation type of the metric. Only valid option is "sum" + description: >- + The aggregation type of the metric. Only valid option + is "sum" enum: - sum example: sum @@ -47671,12 +50813,16 @@ components: example: A type: string metrics: - description: List of metrics with their name, aggregation type, and field. + description: >- + List of metrics with their name, aggregation type, and + field. items: type: object properties: aggregation: - description: The aggregation type of the metric. Only valid option is "sum" + description: >- + The aggregation type of the metric. Only valid option + is "sum" enum: - sum example: sum @@ -47725,7 +50871,11 @@ components: type: object properties: dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: @@ -47753,11 +50903,15 @@ components: example: 'processor.outcome: "success"' type: string from: - description: The starting value of the range. Only required for "range" aggregations. + description: >- + The starting value of the range. Only required for "range" + aggregations. example: 0 type: number to: - description: The ending value of the range. Only required for "range" aggregations. + description: >- + The ending value of the range. Only required for "range" + aggregations. example: 100 type: number required: @@ -47793,11 +50947,15 @@ components: example: 'processor.outcome : *' type: string from: - description: The starting value of the range. Only required for "range" aggregations. + description: >- + The starting value of the range. Only required for "range" + aggregations. example: 0 type: number to: - description: The ending value of the range. Only required for "range" aggregations. + description: >- + The ending value of the range. Only required for "range" + aggregations. example: 100 type: number required: @@ -47826,7 +50984,11 @@ components: type: object properties: dataViewId: - description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: @@ -47838,12 +51000,15 @@ components: example: my-service-* type: string metric: - description: | - An object defining the metrics, equation, and threshold to determine if it's a good slice or not + description: > + An object defining the metrics, equation, and threshold to + determine if it's a good slice or not type: object properties: comparator: - description: The comparator to use to compare the equation to the threshold. + description: >- + The comparator to use to compare the equation to the + threshold. enum: - GT - GTE @@ -47856,15 +51021,22 @@ components: example: A type: string metrics: - description: List of metrics with their name, aggregation type, and field. + description: >- + List of metrics with their name, aggregation type, and + field. items: anyOf: - - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' - - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric type: array threshold: - description: The threshold used to determine if the metric is a good slice or not. + description: >- + The threshold used to determine if the metric is a good + slice or not. example: 100 type: number required: @@ -47947,13 +51119,17 @@ components: minimum: 0 type: number timesliceTarget: - description: the target objective for each slice when using a timeslices budgeting method + description: >- + the target objective for each slice when using a timeslices + budgeting method example: 0.995 maximum: 100 minimum: 0 type: number timesliceWindow: - description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} + description: >- + the duration of each slice when using a timeslices budgeting method, + as {duraton}{unit} example: 5m type: string required: @@ -47964,21 +51140,36 @@ components: properties: frequency: default: 1m - description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. + description: >- + The interval between checks for changes in the source data. The + minimum value is 1m and the maximum is 59m. The default value is 1 + minute. example: 5m type: string preventInitialBackfill: default: false - description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. + description: >- + Start aggregating data from the time the SLO is created, instead of + backfilling data from the beginning of the time window. example: true type: boolean syncDelay: default: 1m - description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. + description: >- + The time delay in minutes between the current time and the latest + source data time. Increasing the value will delay any alerting. The + default value is 1 minute. The minimum value is 1m and the maximum + is 359m. It should always be greater then source index refresh + interval. example: 5m type: string syncField: - description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. + description: >- + The date field that is used to identify new documents in the source. + It is strongly recommended to use a field that contains the ingest + timestamp. If you use a different field, you might need to set the + delay such that it accounts for data transmission delays. When + unspecified, we use the indicator timestamp field. example: event.ingested type: string title: Settings @@ -48189,11 +51380,16 @@ components: type: object properties: duration: - description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' + description: >- + the duration formatted as {duration}{unit}. Accepted values for + rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w + (weekly) or 1M (monthly) example: 30d type: string type: - description: Indicates weither the time window is a rolling or a calendar aligned time window. + description: >- + Indicates weither the time window is a rolling or a calendar aligned + time window. enum: - rolling - calendarAligned @@ -48262,7 +51458,9 @@ components: type: object properties: aggregation: - description: The aggregation type of the metric. Only valid option is "percentile" + description: >- + The aggregation type of the metric. Only valid option is + "percentile" enum: - percentile example: percentile @@ -48291,8 +51489,9 @@ components: - percentile title: Timeslice Metric Percentile Metric SLOs_update_slo_request: - description: | - The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. + description: > + The update SLO API request body varies depending on the type of + indicator, time window and budgeting method. Partial update is handled. properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' @@ -48366,23 +51565,33 @@ components: type: object properties: alert: - description: | - The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`. + description: > + The alert configuration. The default is `{ status: { enabled: true + }, tls: { enabled: true } }`. type: object enabled: default: true description: Specify whether the monitor is enabled. type: boolean locations: - description: | + description: > The location to deploy the monitor. - Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. + + Monitors can be deployed in multiple locations so that you can + detect differences in availability and response times across those + locations. + To list available locations you can: - - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. - - Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*. + + - Run the `elastic-synthetics locations` command with the + deployment's Kibana URL. + + - Go to *Synthetics > Management* and click *Create monitor*. + Locations will be listed in *Locations*. externalDocs: - url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts + url: >- + https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts items: type: string type: array @@ -48391,35 +51600,57 @@ components: type: string namespace: default: default - description: | - The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`. + description: > + The namespace field should be lowercase and not contain spaces. The + namespace must not include any of the following characters: `*`, + `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or + `-`. type: string params: description: The monitor parameters. type: string private_locations: - description: | + description: > The private locations to which the monitors will be deployed. - These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic. + + These private locations refer to locations hosted and managed by + you, whereas `locations` are hosted by Elastic. + You can specify a private location using the location's name. + To list available private locations you can: - - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. - - Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table. + + - Run the `elastic-synthetics locations` command with the + deployment's Kibana URL. + + - Go to *Synthetics > Settings* and click *Private locationsr*. + Private locations will be listed in the table. + > info - > You can provide `locations` or `private_locations` or both. At least one is required. + + > You can provide `locations` or `private_locations` or both. At + least one is required. items: type: string type: array retest_on_failure: default: true - description: | - Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems. + description: > + Turn retesting for when a monitor fails on or off. By default, + monitors are automatically retested if the monitor goes from "up" to + "down". If the result of the retest is also "down", an error will be + created and if configured, an alert sent. The monitor will then + resume running according to the defined schedule. Using + `retest_on_failure` can reduce noise related to transient problems. type: boolean schedule: - description: | - The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors. + description: > + The monitor's schedule in minutes. Supported values are `1`, `3`, + `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is + `3` minutes for HTTP, TCP, and ICMP monitors. The default value is + `10` minutes for Browser monitors. type: number service.name: description: The APM service name. @@ -48431,8 +51662,9 @@ components: type: array timeout: default: 16 - description: | - The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time. + description: > + The monitor timeout in seconds. The monitor will fail if it doesn't + complete within this time. type: number required: - name @@ -48441,8 +51673,9 @@ components: type: object properties: description: - description: | - The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + description: > + The description of the parameter. It is included in the response if + the user has read-only permissions to the Synthetics app. type: string id: description: The unique identifier of the parameter. @@ -48451,20 +51684,25 @@ components: description: The key of the parameter. type: string namespaces: - description: | - The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + description: > + The namespaces associated with the parameter. It is included in the + response if the user has read-only permissions to the Synthetics + app. items: type: string type: array tags: - description: | - An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + description: > + An array of tags associated with the parameter. It is included in + the response if the user has read-only permissions to the Synthetics + app. items: type: string type: array value: - description: | - The value associated with the parameter. It will be included in the response if the user has write permissions. + description: > + The value associated with the parameter. It will be included in the + response if the user has write permissions. type: string required: null Synthetics_getPrivateLocation: @@ -48490,14 +51728,18 @@ components: description: The unique identifier of the private location. type: string isInvalid: - description: | - Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted. + description: > + Indicates whether the location is invalid. If `true`, the location + is invalid, which means the agent policy associated with the + location is deleted. type: boolean label: description: A label for the private location. type: string namespace: - description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location. + description: >- + The namespace of the location, which is the same as the namespace of + the agent policy associated with the location. type: string title: Post a private location type: object @@ -48519,8 +51761,10 @@ components: description: Optional request body content. type: string headers: - description: | - A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself. + description: > + A dictionary of additional HTTP headers to send. By + default, Synthetics will set the User-Agent header to + identify itself. type: object method: description: The HTTP method to use. @@ -48538,7 +51782,9 @@ components: body: type: object headers: - description: A dictionary of expected HTTP headers. If the header is not found, the check fails. + description: >- + A dictionary of expected HTTP headers. If the header is + not found, the check fails. type: object ipv4: default: true @@ -48554,15 +51800,20 @@ components: type: number mode: default: any - description: | - The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`. + description: > + The mode of the monitor. If it is `all`, the monitor pings all + resolvable IPs for a hostname. If it is `any`, the monitor pings + only one IP address for a hostname. If you're using a DNS-load + balancer and want to ping every IP address for the specified + hostname, you should use `all`. enum: - all - any type: string password: - description: | - The password for authenticating with the server. The credentials are passed with the request. + description: > + The password for authenticating with the server. The credentials + are passed with the request. type: string proxy_headers: description: Additional headers to send to proxies during CONNECT requests. @@ -48571,11 +51822,14 @@ components: description: The URL of the proxy to use for this monitor. type: string response: - description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`. + description: >- + Controls the indexing of the HTTP response body contents to the + `http.response.body.contents field`. type: object ssl: - description: | - The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + description: > + The TLS/SSL connection settings for use with the HTTPS endpoint. + If you don't specify settings, the system defaults are used. type: object type: description: The monitor type. @@ -48586,8 +51840,9 @@ components: description: The URL to monitor. type: string username: - description: | - The username for authenticating with the server. The credentials are passed with the request. + description: > + The username for authenticating with the server. The credentials + are passed with the request. type: string required: - type @@ -48670,21 +51925,32 @@ components: type: object properties: host: - description: | - The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200". + description: > + The host to monitor; it can be an IP address or a hostname. The + host can include the port using a colon, for example + "example.com:9200". type: string proxy_url: - description: | - The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option. + description: > + The URL of the SOCKS5 proxy to use when connecting to the + server. The value must be a URL with a scheme of `socks5://`. If + the SOCKS5 proxy server requires client authentication, then a + username and password can be embedded in the URL. When using a + proxy, hostnames are resolved on the proxy server instead of on + the client. You can change this behavior by setting the + `proxy_use_local_resolver` option. type: string proxy_use_local_resolver: default: false - description: | - Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server. + description: > + Specify that hostnames are resolved locally instead of being + resolved on the proxy server. If `false`, name resolution occurs + on the proxy server. type: boolean ssl: - description: | - The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + description: > + The TLS/SSL connection settings for use with the HTTPS endpoint. + If you don't specify settings, the system defaults are used. type: object type: description: The monitor type. @@ -48696,8 +51962,11 @@ components: - type title: TCP monitor fields Task_manager_health_APIs_configuration: - description: | - This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. + description: > + This object summarizes the current configuration of Task Manager. This + includes dynamic configurations that change over time, such as + `poll_interval` and `max_workers`, which can adjust in reaction to + changing load on the system. type: object Task_manager_health_APIs_health_response: title: Task health response properties @@ -48711,14 +51980,18 @@ components: type: object properties: capacity_estimation: - description: | - This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions. + description: > + This object provides a rough estimate about the sufficiency of + its capacity. These are estimates based on historical data and + should not be used as predictions. type: object configuration: $ref: '#/components/schemas/Task_manager_health_APIs_configuration' runtime: - description: | - This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results. + description: > + This object tracks runtime performance of Task Manager, tracking + task drift, worker load, and stats broken down by type, + including duration and run results. type: object workload: $ref: '#/components/schemas/Task_manager_health_APIs_workload' @@ -48727,8 +52000,9 @@ components: timestamp: type: string Task_manager_health_APIs_workload: - description: | - This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. + description: > + This object summarizes the work load across the cluster, including the + tasks in the system, their types, and current status. type: object Upgrade_assistant_APIs_errorMessage: description: The error that caused the reindex to fail, if it failed. @@ -48737,9 +52011,17 @@ components: description: The name of the old index. type: string Upgrade_assistant_APIs_lastCompletedStep: - description: | + description: > The last successfully completed step of the reindex. For example: - - `0`: The reindex task has been created in Kibana. - `10`: The index group services stopped. Only applies to some system indices. - `20`: The index is set to readonly. - `30`: The new destination index has been created. - `40`: The reindex task in Elasticsearch has started. - `50`: The reindex task in Elasticsearch has completed. - `60`: Aliases were created to point to the new index, and the old index has been deleted. - `70`: The index group services have resumed. Only applies to some system indices. + + - `0`: The reindex task has been created in Kibana. - `10`: The index + group services stopped. Only applies to some system indices. - `20`: The + index is set to readonly. - `30`: The new destination index has been + created. - `40`: The reindex task in Elasticsearch has started. - `50`: + The reindex task in Elasticsearch has completed. - `60`: Aliases were + created to point to the new index, and the old index has been deleted. - + `70`: The index group services have resumed. Only applies to some system + indices. type: integer Upgrade_assistant_APIs_locked: type: string @@ -48747,22 +52029,28 @@ components: description: The name of the new index. type: string Upgrade_assistant_APIs_reindexOptions: - description: The presence of this key indicates that the reindex job will occur in the batch. + description: >- + The presence of this key indicates that the reindex job will occur in + the batch. type: object properties: queueSettings: type: object properties: queuedAt: - description: A Unix timestamp of when the reindex task was placed in the queue. + description: >- + A Unix timestamp of when the reindex task was placed in the + queue. type: number Upgrade_assistant_APIs_reindexTaskId: - description: | - The task ID of the reindex task in Elasticsearch. This value appears when the reindexing starts. + description: > + The task ID of the reindex task in Elasticsearch. This value appears + when the reindexing starts. type: string Upgrade_assistant_APIs_reindexTaskPercComplete: - description: | - The progress of the reindexing task in Elasticsearch. It appears in decimal form, from 0 to 1. + description: > + The progress of the reindexing task in Elasticsearch. It appears in + decimal form, from 0 to 1. type: number Upgrade_assistant_APIs_runningReindexCount: type: number @@ -48771,2936 +52059,303 @@ components: The reindex status. For example: - `0`: In progress - `1`: Completed - `2`: Failed - `3`: Paused type: integer - bedrock_config: - title: Connector request properties for an Amazon Bedrock connector - description: Defines properties for connectors when type is `.bedrock`. - type: object - required: - - apiUrl - properties: - apiUrl: - type: string - description: The Amazon Bedrock request URL. - defaultModel: - type: string - description: | - The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. - default: us.anthropic.claude-3-7-sonnet-20250219-v1:0 - crowdstrike_config: - title: Connector request config properties for a Crowdstrike connector - required: - - url - description: Defines config properties for connectors when type is `.crowdstrike`. - type: object - properties: - url: - description: | - The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - type: string - d3security_config: - title: Connector request properties for a D3 Security connector - description: Defines properties for connectors when type is `.d3security`. - type: object - required: - - url - properties: - url: - type: string - description: | - The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - email_config: - title: Connector request properties for an email connector - description: Defines properties for connectors when type is `.email`. - required: - - from - type: object - properties: - clientId: - description: | - The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. - type: string - nullable: true - from: - description: | - The from address for all emails sent by the connector. It must be specified in `user@host-name` format. - type: string - hasAuth: - description: | - Specifies whether a user and password are required inside the secrets configuration. - default: true - type: boolean - host: - description: | - The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. - type: string - oauthTokenUrl: - type: string - nullable: true - port: - description: | - The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. - type: integer - secure: - description: | - Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. - type: boolean - service: - description: | - The name of the email service. - type: string - enum: - - elastic_cloud - - exchange_server - - gmail - - other - - outlook365 - - ses - tenantId: - description: | - The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. - type: string - nullable: true - gemini_config: - title: Connector request properties for an Google Gemini connector - description: Defines properties for connectors when type is `.gemini`. - type: object - required: - - apiUrl - - gcpRegion - - gcpProjectID - properties: - apiUrl: - type: string - description: The Google Gemini request URL. - defaultModel: - type: string - description: The generative artificial intelligence model for Google Gemini to use. - default: gemini-1.5-pro-002 - gcpRegion: - type: string - description: The GCP region where the Vertex AI endpoint enabled. - gcpProjectID: - type: string - description: The Google ProjectID that has Vertex AI endpoint enabled. - resilient_config: - title: Connector request properties for a IBM Resilient connector - required: - - apiUrl - - orgId - description: Defines properties for connectors when type is `.resilient`. - type: object - properties: - apiUrl: - description: The IBM Resilient instance URL. - type: string - orgId: - description: The IBM Resilient organization ID. - type: string - index_config: - title: Connector request properties for an index connector - required: - - index - description: Defines properties for connectors when type is `.index`. - type: object - properties: - executionTimeField: - description: A field that indicates when the document was indexed. - default: null - type: string - nullable: true - index: - description: The Elasticsearch index to be written to. - type: string - refresh: - description: | - The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. - default: false - type: boolean - jira_config: - title: Connector request properties for a Jira connector - required: - - apiUrl - - projectKey - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - apiUrl: - description: The Jira instance URL. - type: string - projectKey: - description: The Jira project key. - type: string - defender_config: - title: Connector request properties for a Microsoft Defender for Endpoint connector - required: - - apiUrl - - projectKey - description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. - type: object - properties: - apiUrl: - type: string - description: | - The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. - clientId: - type: string - description: The application (client) identifier for your app in the Azure portal. - oAuthScope: - type: string - description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. - oAuthServerUrl: - type: string - description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. - tenantId: - description: The tenant identifier for your app in the Azure portal. - type: string - genai_azure_config: - title: Connector request properties for an OpenAI connector that uses Azure OpenAI - description: | - Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. - type: object - required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - Azure OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - genai_openai_config: - title: Connector request properties for an OpenAI connector - description: | - Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. - type: object - required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - defaultModel: - type: string - description: The default model to use for requests. - opsgenie_config: - title: Connector request properties for an Opsgenie connector - required: - - apiUrl - description: Defines properties for connectors when type is `.opsgenie`. - type: object - properties: - apiUrl: - description: | - The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - type: string - pagerduty_config: - title: Connector request properties for a PagerDuty connector - description: Defines properties for connectors when type is `.pagerduty`. - type: object - properties: - apiUrl: - description: The PagerDuty event URL. - type: string - nullable: true - example: https://events.pagerduty.com/v2/enqueue - sentinelone_config: - title: Connector request properties for a SentinelOne connector - required: - - url - description: Defines properties for connectors when type is `.sentinelone`. - type: object - properties: - url: - description: | - The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - type: string - servicenow_config: - title: Connector request properties for a ServiceNow ITSM connector - required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow`. - type: object - properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: | - The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. - type: string - isOAuth: - description: | - The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). - default: false - type: boolean - jwtKeyId: - description: | - The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: | - The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. - type: string - usesTableApi: - description: | - Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. - default: true - type: boolean - servicenow_itom_config: - title: Connector request properties for a ServiceNow ITOM connector - required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow-itom`. - type: object - properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: | - The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. - type: string - isOAuth: - description: | - The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). - default: false - type: boolean - jwtKeyId: - description: | - The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: | - The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. - type: string - slack_api_config: - title: Connector request properties for a Slack connector - description: Defines properties for connectors when type is `.slack_api`. - type: object - properties: - allowedChannels: - type: array - description: A list of valid Slack channels. - items: - type: object - required: - - id - - name - maxItems: 25 - properties: - id: - type: string - description: The Slack channel ID. - example: C123ABC456 - minLength: 1 - name: - type: string - description: The Slack channel name. - minLength: 1 - swimlane_config: - title: Connector request properties for a Swimlane connector - required: - - apiUrl - - appId - - connectorType - description: Defines properties for connectors when type is `.swimlane`. - type: object - properties: - apiUrl: - description: The Swimlane instance URL. - type: string - appId: - description: The Swimlane application ID. - type: string - connectorType: - description: The type of connector. Valid values are `all`, `alerts`, and `cases`. - type: string - enum: - - all - - alerts - - cases - mappings: - title: Connector mappings properties for a Swimlane connector - description: The field mapping. - type: object - properties: - alertIdConfig: - title: Alert identifier mapping - description: Mapping for the alert ID. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - caseIdConfig: - title: Case identifier mapping - description: Mapping for the case ID. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - caseNameConfig: - title: Case name mapping - description: Mapping for the case name. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - commentsConfig: - title: Case comment mapping - description: Mapping for the case comments. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - descriptionConfig: - title: Case description mapping - description: Mapping for the case description. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - ruleNameConfig: - title: Rule name mapping - description: Mapping for the name of the alert's rule. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - severityConfig: - title: Severity mapping - description: Mapping for the severity. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - thehive_config: - title: Connector request properties for a TheHive connector - description: Defines configuration properties for connectors when type is `.thehive`. - type: object - required: - - url - properties: - organisation: - type: string - description: | - The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. - url: - type: string - description: | - The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - tines_config: - title: Connector request properties for a Tines connector - description: Defines properties for connectors when type is `.tines`. - type: object - required: - - url - properties: - url: - description: | - The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. - type: string - torq_config: - title: Connector request properties for a Torq connector - description: Defines properties for connectors when type is `.torq`. - type: object - required: - - webhookIntegrationUrl - properties: - webhookIntegrationUrl: - description: The endpoint URL of the Elastic Security integration in Torq. - type: string - auth_type: - title: Authentication type - type: string - nullable: true - enum: - - webhook-authentication-basic - - webhook-authentication-ssl - description: | - The type of authentication to use: basic, SSL, or none. - ca: - title: Certificate authority - type: string - description: | - A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. - cert_type: - title: Certificate type - type: string - description: | - If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. - enum: - - ssl-crt-key - - ssl-pfx - has_auth: - title: Has authentication - type: boolean - description: If true, a username and password for login type authentication must be provided. - default: true - verification_mode: - title: Verification mode - type: string - enum: - - certificate - - full - - none - default: full - description: | - Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. - webhook_config: - title: Connector request properties for a Webhook connector - description: Defines properties for connectors when type is `.webhook`. - type: object - properties: - authType: - $ref: '#/components/schemas/auth_type' - ca: - $ref: '#/components/schemas/ca' - certType: - $ref: '#/components/schemas/cert_type' - hasAuth: - $ref: '#/components/schemas/has_auth' - headers: - type: object - nullable: true - description: A set of key-value pairs sent as headers with the request. - method: - type: string - default: post - enum: - - post - - put - description: | - The HTTP request method, either `post` or `put`. - url: - type: string - description: | - The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - verificationMode: - $ref: '#/components/schemas/verification_mode' - cases_webhook_config: - title: Connector request properties for Webhook - Case Management connector - required: - - createIncidentJson - - createIncidentResponseKey - - createIncidentUrl - - getIncidentResponseExternalTitleKey - - getIncidentUrl - - updateIncidentJson - - updateIncidentUrl - - viewIncidentUrl - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - authType: - $ref: '#/components/schemas/auth_type' - ca: - $ref: '#/components/schemas/ca' - certType: - $ref: '#/components/schemas/cert_type' - createCommentJson: - type: string - description: | - A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. - example: '{"body": {{{case.comment}}}}' - createCommentMethod: - type: string - description: | - The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - createCommentUrl: - type: string - description: | - The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.id}}}/comment - createIncidentJson: - type: string - description: | - A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. - example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' - createIncidentMethod: - type: string - description: | - The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. - enum: - - patch - - post - - put - default: post - createIncidentResponseKey: - type: string - description: The JSON key in the create external case response that contains the case ID. - createIncidentUrl: - type: string - description: | - The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - getIncidentResponseExternalTitleKey: - type: string - description: The JSON key in get external case response that contains the case title. - getIncidentUrl: - type: string - description: | - The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. - example: https://example.com/issue/{{{external.system.id}}} - hasAuth: - $ref: '#/components/schemas/has_auth' - headers: - type: string - description: | - A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. - updateIncidentJson: - type: string - description: | - The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. - example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' - updateIncidentMethod: - type: string - description: | - The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - updateIncidentUrl: - type: string - description: | - The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.ID}}} - verificationMode: - $ref: '#/components/schemas/verification_mode' - viewIncidentUrl: - type: string - description: | - The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. - example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} - xmatters_config: - title: Connector request properties for an xMatters connector - description: Defines properties for connectors when type is `.xmatters`. - type: object - properties: - configUrl: - description: | - The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. - type: string - nullable: true - usesBasic: - description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). - type: boolean - default: true - bedrock_secrets: - title: Connector secrets properties for an Amazon Bedrock connector - description: Defines secrets for connectors when type is `.bedrock`. - type: object - required: - - accessKey - - secret - properties: - accessKey: - type: string - description: The AWS access key for authentication. - secret: - type: string - description: The AWS secret for authentication. - crowdstrike_secrets: - title: Connector secrets properties for a Crowdstrike connector - description: Defines secrets for connectors when type is `.crowdstrike`. - type: object - required: - - clientId - - clientSecret - properties: - clientId: - description: The CrowdStrike API client identifier. - type: string - clientSecret: - description: The CrowdStrike API client secret to authenticate the `clientId`. - type: string - d3security_secrets: - title: Connector secrets properties for a D3 Security connector - description: Defines secrets for connectors when type is `.d3security`. - required: - - token - type: object - properties: - token: - type: string - description: The D3 Security token. - email_secrets: - title: Connector secrets properties for an email connector - description: Defines secrets for connectors when type is `.email`. - type: object - properties: - clientSecret: - type: string - description: | - The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. - password: - type: string - description: | - The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. - user: - type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. - gemini_secrets: - title: Connector secrets properties for a Google Gemini connector - description: Defines secrets for connectors when type is `.gemini`. - type: object - required: - - credentialsJson - properties: - credentialsJson: - type: string - description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. - resilient_secrets: - title: Connector secrets properties for IBM Resilient connector - required: - - apiKeyId - - apiKeySecret - description: Defines secrets for connectors when type is `.resilient`. - type: object - properties: - apiKeyId: - type: string - description: The authentication key ID for HTTP Basic authentication. - apiKeySecret: - type: string - description: The authentication key secret for HTTP Basic authentication. - jira_secrets: - title: Connector secrets properties for a Jira connector - required: - - apiToken - - email - description: Defines secrets for connectors when type is `.jira`. - type: object - properties: - apiToken: - description: The Jira API authentication token for HTTP basic authentication. - type: string - email: - description: The account email for HTTP Basic authentication. - type: string - teams_secrets: - title: Connector secrets properties for a Microsoft Teams connector - description: Defines secrets for connectors when type is `.teams`. - type: object - required: - - webhookUrl - properties: - webhookUrl: - type: string - description: | - The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. - genai_secrets: - title: Connector secrets properties for an OpenAI connector - description: Defines secrets for connectors when type is `.gen-ai`. - type: object - properties: - apiKey: - type: string - description: The OpenAI API key. - opsgenie_secrets: - title: Connector secrets properties for an Opsgenie connector - required: - - apiKey - description: Defines secrets for connectors when type is `.opsgenie`. - type: object - properties: - apiKey: - description: The Opsgenie API authentication key for HTTP Basic authentication. - type: string - pagerduty_secrets: - title: Connector secrets properties for a PagerDuty connector - description: Defines secrets for connectors when type is `.pagerduty`. - type: object - required: - - routingKey - properties: - routingKey: - description: | - A 32 character PagerDuty Integration Key for an integration on a service. - type: string - sentinelone_secrets: - title: Connector secrets properties for a SentinelOne connector - description: Defines secrets for connectors when type is `.sentinelone`. - type: object - required: - - token - properties: - token: - description: The A SentinelOne API token. - type: string - servicenow_secrets: - title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors - description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. - type: object - properties: - clientSecret: - type: string - description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. - password: - type: string - description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. - privateKey: - type: string - description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. - privateKeyPassword: - type: string - description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. - username: - type: string - description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. - slack_api_secrets: - title: Connector secrets properties for a Web API Slack connector - description: Defines secrets for connectors when type is `.slack`. - required: - - token - type: object - properties: - token: - type: string - description: Slack bot user OAuth token. - swimlane_secrets: - title: Connector secrets properties for a Swimlane connector - description: Defines secrets for connectors when type is `.swimlane`. - type: object - properties: - apiToken: - description: Swimlane API authentication token. - type: string - thehive_secrets: - title: Connector secrets properties for a TheHive connector - description: Defines secrets for connectors when type is `.thehive`. - required: - - apiKey - type: object - properties: - apiKey: - type: string - description: The API key for authentication in TheHive. - tines_secrets: - title: Connector secrets properties for a Tines connector - description: Defines secrets for connectors when type is `.tines`. - type: object - required: - - email - - token - properties: - email: - description: The email used to sign in to Tines. - type: string - token: - description: The Tines API token. - type: string - torq_secrets: - title: Connector secrets properties for a Torq connector - description: Defines secrets for connectors when type is `.torq`. - type: object - required: - - token - properties: - token: - description: The secret of the webhook authentication header. - type: string - crt: - title: Certificate - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. - key: - title: Certificate key - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. - pfx: - title: Personal information exchange - type: string - description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. - webhook_secrets: - title: Connector secrets properties for a Webhook connector - description: Defines secrets for connectors when type is `.webhook`. - type: object - properties: - crt: - $ref: '#/components/schemas/crt' - key: - $ref: '#/components/schemas/key' - pfx: - $ref: '#/components/schemas/pfx' - password: - type: string - description: | - The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - user: - type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - cases_webhook_secrets: - title: Connector secrets properties for Webhook - Case Management connector - type: object - properties: - crt: - $ref: '#/components/schemas/crt' - key: - $ref: '#/components/schemas/key' - pfx: - $ref: '#/components/schemas/pfx' - password: - type: string - description: | - The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. - user: - type: string - description: | - The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. - xmatters_secrets: - title: Connector secrets properties for an xMatters connector - description: Defines secrets for connectors when type is `.xmatters`. - type: object - properties: - password: - description: | - A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. - type: string - secretsUrl: - description: | - The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. - type: string - user: - description: | - A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. - type: string - defender_secrets: - title: Connector secrets properties for a Microsoft Defender for Endpoint connector - required: - - clientSecret - description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. - type: object - properties: - clientSecret: - description: The client secret for your app in the Azure portal. - type: string - run_acknowledge_resolve_pagerduty: - title: PagerDuty connector parameters - description: Test an action that acknowledges or resolves a PagerDuty alert. - type: object - required: - - dedupKey - - eventAction - properties: - dedupKey: - description: The deduplication key for the PagerDuty alert. - type: string - maxLength: 255 - eventAction: - description: The type of event. - type: string - enum: - - acknowledge - - resolve - run_documents: - title: Index connector parameters - description: Test an action that indexes a document into Elasticsearch. - type: object - required: - - documents - properties: - documents: - type: array - description: The documents in JSON format for index connectors. - items: - type: object - additionalProperties: true - run_message_email: - title: Email connector parameters - description: | - Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. - type: object - required: - - message - - subject - - anyOf: - - to - - cc - - bcc - properties: - bcc: - type: array - items: - type: string - description: | - A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format - cc: - type: array - items: - type: string - description: | - A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format - message: - type: string - description: The email message text. Markdown format is supported. - subject: - type: string - description: The subject line of the email. - to: - type: array - description: | - A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. - items: - type: string - run_message_serverlog: - title: Server log connector parameters - description: Test an action that writes an entry to the Kibana server log. - type: object - required: - - message - properties: - level: - type: string - description: The log level of the message for server log connectors. - enum: - - debug - - error - - fatal - - info - - trace - - warn - default: info - message: - type: string - description: The message for server log connectors. - run_message_slack: - title: Slack connector parameters - description: | - Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. - type: object - required: - - message - properties: - message: - type: string - description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. - run_trigger_pagerduty: - title: PagerDuty connector parameters - description: Test an action that triggers a PagerDuty alert. - type: object - required: - - eventAction - properties: - class: - description: The class or type of the event. - type: string - example: cpu load - component: - description: The component of the source machine that is responsible for the event. - type: string - example: eth0 - customDetails: - description: Additional details to add to the event. - type: object - dedupKey: - description: | - All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. - type: string - maxLength: 255 - eventAction: - description: The type of event. - type: string - enum: - - trigger - group: - description: The logical grouping of components of a service. - type: string - example: app-stack - links: - description: A list of links to add to the event. - type: array - items: - type: object - properties: - href: - description: The URL for the link. - type: string - text: - description: A plain text description of the purpose of the link. - type: string - severity: - description: The severity of the event on the affected system. - type: string - enum: - - critical - - error - - info - - warning - default: info - source: - description: | - The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. - type: string - summary: - description: A summery of the event. - type: string - maxLength: 1024 - timestamp: - description: An ISO-8601 timestamp that indicates when the event was detected or generated. - type: string - format: date-time - run_addevent: - title: The addEvent subaction - type: object - required: - - subAction - description: The `addEvent` subaction for ServiceNow ITOM connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - addEvent - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - additional_info: - type: string - description: Additional information about the event. - description: - type: string - description: The details about the event. - event_class: - type: string - description: A specific instance of the source. - message_key: - type: string - description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. - metric_name: - type: string - description: The name of the metric. - node: - type: string - description: The host that the event was triggered for. - resource: - type: string - description: The name of the resource. - severity: - type: string - description: The severity of the event. - source: - type: string - description: The name of the event source type. - time_of_event: - type: string - description: The time of the event. - type: - type: string - description: The type of event. - run_closealert: - title: The closeAlert subaction - type: object - required: - - subAction - - subActionParams - description: The `closeAlert` subaction for Opsgenie connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - closeAlert - subActionParams: - type: object - required: - - alias - properties: - alias: - type: string - description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. - note: - type: string - description: Additional information for the alert. - source: - type: string - description: The display name for the source of the alert. - user: - type: string - description: The display name for the owner. - run_closeincident: - title: The closeIncident subaction - type: object - required: - - subAction - - subActionParams - description: The `closeIncident` subaction for ServiceNow ITSM connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - closeIncident - subActionParams: - type: object - required: - - incident - properties: - incident: - type: object - anyOf: - - required: - - correlation_id - - required: - - externalId - properties: - correlation_id: - type: string - nullable: true - description: | - An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. - maxLength: 100 - default: '{{rule.id}}:{{alert.id}}' - externalId: - type: string - nullable: true - description: The unique identifier (`incidentId`) for the incident in ServiceNow. - run_createalert: - title: The createAlert subaction - type: object - required: - - subAction - - subActionParams - description: The `createAlert` subaction for Opsgenie and TheHive connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - createAlert - subActionParams: - type: object - properties: - actions: - type: array - description: The custom actions available to the alert in Opsgenie connectors. - items: - type: string - alias: - type: string - description: The unique identifier used for alert deduplication in Opsgenie. - description: - type: string - description: A description that provides detailed information about the alert. - details: - type: object - description: The custom properties of the alert in Opsgenie connectors. - additionalProperties: true - example: - key1: value1 - key2: value2 - entity: - type: string - description: The domain of the alert in Opsgenie connectors. For example, the application or server name. - message: - type: string - description: The alert message in Opsgenie connectors. - note: - type: string - description: Additional information for the alert in Opsgenie connectors. - priority: - type: string - description: The priority level for the alert in Opsgenie connectors. - enum: - - P1 - - P2 - - P3 - - P4 - - P5 - responders: - type: array - description: | - The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. - items: - type: object - properties: - id: - type: string - description: The identifier for the entity. - name: - type: string - description: The name of the entity. - type: - type: string - description: The type of responders, in this case `escalation`. - enum: - - escalation - - schedule - - team - - user - username: - type: string - description: A valid email address for the user. - severity: - type: integer - minimum: 1 - maximum: 4 - description: | - The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). - source: - type: string - description: The display name for the source of the alert in Opsgenie and TheHive connectors. - sourceRef: - type: string - description: A source reference for the alert in TheHive connectors. - tags: - type: array - description: The tags for the alert in Opsgenie and TheHive connectors. - items: - type: string - title: - type: string - description: | - A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. - tlp: - type: integer - minimum: 0 - maximum: 4 - default: 2 - description: | - The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). - type: - type: string - description: The type of alert in TheHive connectors. - user: - type: string - description: The display name for the owner. - visibleTo: - type: array - description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. - items: - type: object - required: - - type - properties: - id: - type: string - description: The identifier for the entity. - name: - type: string - description: The name of the entity. - type: - type: string - description: Valid values are `team` and `user`. - enum: - - team - - user - username: - type: string - description: The user name. This property is required only when the `type` is `user`. - run_fieldsbyissuetype: - title: The fieldsByIssueType subaction - type: object - required: - - subAction - - subActionParams - description: The `fieldsByIssueType` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - fieldsByIssueType - subActionParams: - type: object - required: - - id - properties: - id: - type: string - description: The Jira issue type identifier. - example: 10024 - run_getagentdetails: - title: The getAgentDetails subaction - type: object - required: - - subAction - - subActionParams - description: The `getAgentDetails` subaction for CrowdStrike connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - getAgentDetails - subActionParams: - type: object - description: The set of configuration properties for the action. - required: - - ids - properties: - ids: - type: array - description: An array of CrowdStrike agent identifiers. - items: - type: string - run_getagents: - title: The getAgents subaction - type: object - required: - - subAction - description: The `getAgents` subaction for SentinelOne connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - getAgents - run_getchoices: - title: The getChoices subaction - type: object - required: - - subAction - - subActionParams - description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - getChoices - subActionParams: - type: object - description: The set of configuration properties for the action. - required: - - fields - properties: - fields: - type: array - description: An array of fields. - items: - type: string - run_getfields: - title: The getFields subaction - type: object - required: - - subAction - description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - getFields - run_getincident: - title: The getIncident subaction - type: object - description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. - required: - - subAction - - subActionParams - properties: - subAction: - type: string - description: The action to test. - enum: - - getIncident - subActionParams: - type: object - required: - - externalId - properties: - externalId: - type: string - description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. - example: 71778 - run_issue: - title: The issue subaction - type: object - required: - - subAction - description: The `issue` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - issue - subActionParams: - type: object - required: - - id - properties: - id: - type: string - description: The Jira issue identifier. - example: 71778 - run_issues: - title: The issues subaction - type: object - required: - - subAction - - subActionParams - description: The `issues` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - issues - subActionParams: - type: object - required: - - title - properties: - title: - type: string - description: The title of the Jira issue. - run_issuetypes: - title: The issueTypes subaction - type: object - required: - - subAction - description: The `issueTypes` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - issueTypes - run_postmessage: - title: The postMessage subaction - type: object - description: | - Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. - required: - - subAction - - subActionParams - properties: - subAction: - type: string - description: The action to test. - enum: - - postMessage - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - channelIds: - type: array - maxItems: 1 - description: | - The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. - items: - type: string - channels: - type: array - deprecated: true - description: | - The name of a channel that your Slack app has access to. - maxItems: 1 - items: - type: string - text: - type: string - description: | - The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. - minLength: 1 - run_pushtoservice: - title: The pushToService subaction - type: object - required: - - subAction - - subActionParams - description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - pushToService - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - comments: - type: array - description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. - items: - type: object - properties: - comment: - type: string - description: A comment related to the incident. For example, describe how to troubleshoot the issue. - commentId: - type: integer - description: A unique identifier for the comment. - incident: - type: object - description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. - properties: - additional_fields: - type: string - nullable: true - maxLength: 20 - description: | - Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. - alertId: - type: string - description: The alert identifier for Swimlane connectors. - caseId: - type: string - description: The case identifier for the incident for Swimlane connectors. - caseName: - type: string - description: The case name for the incident for Swimlane connectors. - category: - type: string - description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. - correlation_display: - type: string - description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. - correlation_id: - type: string - description: | - The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. - description: - type: string - description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. - dest_ip: - description: | - A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - externalId: - type: string - description: | - The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. - id: - type: string - description: The external case identifier for Webhook - Case Management connectors. - impact: - type: string - description: The impact of the incident for ServiceNow ITSM connectors. - issueType: - type: integer - description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. - labels: - type: array - items: - type: string - description: | - The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. - malware_hash: - description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - malware_url: - type: string - description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - otherFields: - type: object - additionalProperties: true - maxProperties: 20 - description: | - Custom field identifiers and their values for Jira connectors. - parent: - type: string - description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. - priority: - type: string - description: The priority of the incident in Jira and ServiceNow SecOps connectors. - ruleName: - type: string - description: The rule name for Swimlane connectors. - severity: - type: integer - description: | - The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). - short_description: - type: string - description: | - A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. - source_ip: - description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - status: - type: string - description: The status of the incident for Webhook - Case Management connectors. - subcategory: - type: string - description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. - summary: - type: string - description: A summary of the incident for Jira connectors. - tags: - type: array - items: - type: string - description: A list of tags for TheHive and Webhook - Case Management connectors. - title: - type: string - description: | - A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. - tlp: - type: integer - minimum: 0 - maximum: 4 - default: 2 - description: | - The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). - urgency: - type: string - description: The urgency of the incident for ServiceNow ITSM connectors. - run_validchannelid: - title: The validChannelId subaction - type: object - description: | - Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. - required: - - subAction - - subActionParams - properties: - subAction: - type: string - description: The action to test. - enum: - - validChannelId - subActionParams: - type: object - required: - - channelId - properties: - channelId: - type: string - description: The Slack channel identifier. - example: C123ABC456 - params_property_apm_anomaly: - required: - - windowSize - - windowUnit - - environment - - anomalySeverityType - properties: - serviceName: - type: string - description: The service name from APM - transactionType: - type: string - description: The transaction type from APM - windowSize: - type: number - example: 6 - description: The window size - windowUnit: - type: string - description: The window size unit - enum: - - m - - h - - d - environment: - type: string - description: The environment from APM - anomalySeverityType: - type: string - description: The anomaly threshold value - enum: - - critical - - major - - minor - - warning - params_property_apm_error_count: - required: - - windowSize - - windowUnit - - threshold - - environment - properties: - serviceName: - type: string - description: The service name from APM - windowSize: - type: number - description: The window size - example: 6 - windowUnit: - type: string - description: The window size unit - enum: - - m - - h - - d - environment: - type: string - description: The environment from APM - threshold: - type: number - description: The error count threshold value - groupBy: - type: array - default: - - service.name - - service.environment - uniqueItems: true - items: - type: string - enum: - - service.name - - service.environment - - transaction.name - - error.grouping_key - errorGroupingKey: - type: string - params_property_apm_transaction_duration: - required: - - windowSize - - windowUnit - - threshold - - environment - - aggregationType - properties: - serviceName: - type: string - description: The service name from APM - transactionType: - type: string - description: The transaction type from APM - transactionName: - type: string - description: The transaction name from APM - windowSize: - type: number - description: The window size - example: 6 - windowUnit: - type: string - description: ç - enum: - - m - - h - - d - environment: - type: string - threshold: - type: number - description: The latency threshold value - groupBy: - type: array - default: - - service.name - - service.environment - - transaction.type - uniqueItems: true - items: - type: string - enum: - - service.name - - service.environment - - transaction.type - - transaction.name - aggregationType: - type: string - enum: - - avg - - 95th - - 99th - params_property_apm_transaction_error_rate: - required: - - windowSize - - windowUnit - - threshold - - environment - properties: - serviceName: - type: string - description: The service name from APM - transactionType: - type: string - description: The transaction type from APM - transactionName: - type: string - description: The transaction name from APM - windowSize: - type: number - description: The window size - example: 6 - windowUnit: - type: string - description: The window size unit - enum: - - m - - h - - d - environment: - type: string - description: The environment from APM - threshold: - type: number - description: The error rate threshold value - groupBy: - type: array - default: - - service.name - - service.environment - - transaction.type - uniqueItems: true - items: - type: string - enum: - - service.name - - service.environment - - transaction.type - - transaction.name - aggfield: - description: | - The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. - type: string - aggtype: - description: The type of aggregation to perform. - type: string - enum: - - avg - - count - - max - - min - - sum - default: count - excludehitsfrompreviousrun: - description: | - Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. - type: boolean - groupby: - description: | - Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. - type: string - enum: - - all - - top - default: all - size: - description: | - The number of documents to pass to the configured actions when the threshold condition is met. - type: integer - termfield: - description: | - The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. - oneOf: - - type: string - - type: array - items: - type: string - maxItems: 4 - termsize: - description: | - This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. - type: integer - threshold: - description: | - The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. - type: array - items: - type: integer - example: 4000 - thresholdcomparator: - description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between". - type: string - enum: - - '>' - - '>=' - - < - - <= - - between - - notBetween - example: '>' - timefield: - description: The field that is used to calculate the time window. - type: string - timewindowsize: - description: | - The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. - type: integer - example: 5 - timewindowunit: - description: | - The type of units for the time window: seconds, minutes, hours, or days. - type: string - enum: - - s - - m - - h - - d - example: m - params_es_query_dsl_rule: - title: Elasticsearch DSL query rule params - description: | - An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. - type: object - required: - - esQuery - - index - - threshold - - thresholdComparator - - timeField - - timeWindowSize - - timeWindowUnit - properties: - aggField: - $ref: '#/components/schemas/aggfield' - aggType: - $ref: '#/components/schemas/aggtype' - esQuery: - description: The query definition, which uses Elasticsearch Query DSL. - type: string - excludeHitsFromPreviousRun: - $ref: '#/components/schemas/excludehitsfrompreviousrun' - groupBy: - $ref: '#/components/schemas/groupby' - index: - description: The indices to query. - oneOf: - - type: array - items: - type: string - - type: string - searchType: - description: The type of query, in this case a query that uses Elasticsearch Query DSL. - type: string - enum: - - esQuery - default: esQuery - example: esQuery - size: - $ref: '#/components/schemas/size' - termField: - $ref: '#/components/schemas/termfield' - termSize: - $ref: '#/components/schemas/termsize' - threshold: - $ref: '#/components/schemas/threshold' - thresholdComparator: - $ref: '#/components/schemas/thresholdcomparator' - timeField: - $ref: '#/components/schemas/timefield' - timeWindowSize: - $ref: '#/components/schemas/timewindowsize' - timeWindowUnit: - $ref: '#/components/schemas/timewindowunit' - params_es_query_esql_rule: - title: Elasticsearch ES|QL query rule params - description: | - An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. - type: object - required: - - esqlQuery - - searchType - - size - - threshold - - thresholdComparator - - timeWindowSize - - timeWindowUnit - properties: - aggField: - $ref: '#/components/schemas/aggfield' - aggType: - $ref: '#/components/schemas/aggtype' - esqlQuery: - type: object - required: - - esql - properties: - esql: - description: The query definition, which uses Elasticsearch Query Language. - type: string - excludeHitsFromPreviousRun: - $ref: '#/components/schemas/excludehitsfrompreviousrun' - groupBy: - $ref: '#/components/schemas/groupby' - searchType: - description: The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL). - type: string - enum: - - esqlQuery - example: esqlQuery - size: - type: integer - description: | - When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior. - example: 0 - termSize: - $ref: '#/components/schemas/termsize' - threshold: - type: array - items: - type: integer - minimum: 0 - maximum: 0 - description: | - The threshold value that is used with the `thresholdComparator`. When `searchType` is `esqlQuery`, this property is required and must be set to zero. - thresholdComparator: - type: string - description: | - The comparison function for the threshold. When `searchType` is `esqlQuery`, this property is required and must be set to ">". Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results. - enum: - - '>' - example: '>' - timeField: - $ref: '#/components/schemas/timefield' - timeWindowSize: - $ref: '#/components/schemas/timewindowsize' - timeWindowUnit: - $ref: '#/components/schemas/timewindowunit' - filter: - type: object - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - properties: - meta: - type: object - properties: - alias: - type: string - nullable: true - controlledBy: - type: string - disabled: - type: boolean - field: - type: string - group: - type: string - index: - type: string - isMultiIndex: - type: boolean - key: - type: string - negate: - type: boolean - params: - type: object - type: - type: string - value: - type: string - query: - type: object - $state: - type: object - params_es_query_kql_rule: - title: Elasticsearch KQL query rule params - description: | - An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. - type: object - required: - - searchType - - size - - threshold - - thresholdComparator - - timeWindowSize - - timeWindowUnit - properties: - aggField: - $ref: '#/components/schemas/aggfield' - aggType: - $ref: '#/components/schemas/aggtype' - excludeHitsFromPreviousRun: - $ref: '#/components/schemas/excludehitsfrompreviousrun' - groupBy: - $ref: '#/components/schemas/groupby' - searchConfiguration: - description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. - type: object - properties: - filter: - type: array - items: - $ref: '#/components/schemas/filter' - index: - description: The indices to query. - oneOf: - - type: string - - type: array - items: - type: string - query: - type: object - properties: - language: - type: string - example: kuery - query: - type: string - searchType: - description: The type of query, in this case a text-based query that uses KQL or Lucene. - type: string - enum: - - searchSource - example: searchSource - size: - $ref: '#/components/schemas/size' - termField: - $ref: '#/components/schemas/termfield' - termSize: - $ref: '#/components/schemas/termsize' - threshold: - $ref: '#/components/schemas/threshold' - thresholdComparator: - $ref: '#/components/schemas/thresholdcomparator' - timeField: - $ref: '#/components/schemas/timefield' - timeWindowSize: - $ref: '#/components/schemas/timewindowsize' - timeWindowUnit: - $ref: '#/components/schemas/timewindowunit' - params_index_threshold_rule: - title: Index threshold rule params - description: An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when `rule_type_id` is `.index-threshold`. - type: object - required: - - index - - threshold - - thresholdComparator - - timeField - - timeWindowSize - - timeWindowUnit - properties: - aggField: - $ref: '#/components/schemas/aggfield' - aggType: - $ref: '#/components/schemas/aggtype' - filterKuery: - description: A KQL expression thats limits the scope of alerts. - type: string - groupBy: - $ref: '#/components/schemas/groupby' - index: - description: The indices to query. - type: array - items: - type: string - termField: - $ref: '#/components/schemas/termfield' - termSize: - $ref: '#/components/schemas/termsize' - threshold: - $ref: '#/components/schemas/threshold' - thresholdComparator: - $ref: '#/components/schemas/thresholdcomparator' - timeField: - $ref: '#/components/schemas/timefield' - timeWindowSize: - $ref: '#/components/schemas/timewindowsize' - timeWindowUnit: - $ref: '#/components/schemas/timewindowunit' - params_property_infra_inventory: - properties: - criteria: - type: array - items: - type: object - properties: - metric: - type: string - enum: - - count - - cpu - - diskLatency - - load - - memory - - memoryTotal - - tx - - rx - - logRate - - diskIOReadBytes - - diskIOWriteBytes - - s3TotalRequests - - s3NumberOfObjects - - s3BucketSize - - s3DownloadBytes - - s3UploadBytes - - rdsConnections - - rdsQueriesExecuted - - rdsActiveTransactions - - rdsLatency - - sqsMessagesVisible - - sqsMessagesDelayed - - sqsMessagesSent - - sqsMessagesEmpty - - sqsOldestMessage - - custom - timeSize: - type: number - timeUnit: - type: string - enum: - - s - - m - - h - - d - sourceId: - type: string - threshold: - type: array - items: - type: number - comparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - customMetric: - type: object - properties: - type: - type: string - enum: - - custom - field: - type: string - aggregation: - type: string - enum: - - avg - - max - - min - - rate - id: - type: string - label: - type: string - warningThreshold: - type: array - items: - type: number - warningComparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - filterQuery: - type: string - filterQueryText: - type: string - nodeType: - type: string - enum: - - host - - pod - - container - - awsEC2 - - awsS3 - - awsSQS - - awsRDS - sourceId: - type: string - alertOnNoData: - type: boolean - params_property_log_threshold: - oneOf: - - title: Count - type: object - required: - - count - - timeSize - - timeUnit - - logView - properties: - criteria: - type: array - items: - type: object - properties: - field: - type: string - example: my.field - comparator: - type: string - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - value: - oneOf: - - type: number - example: 42 - - type: string - example: value - count: - type: object - properties: - comparator: - type: string - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - value: - type: number - example: 100 - timeSize: - type: number - example: 6 - timeUnit: - type: string - enum: - - s - - m - - h - - d - logView: - type: object - properties: - logViewId: - type: string - type: - type: string - enum: - - log-view-reference - example: log-view-reference - groupBy: - type: array - items: - type: string - - title: Ratio - type: object - required: - - count - - timeSize - - timeUnit - - logView - properties: - criteria: - type: array - items: - minItems: 2 - maxItems: 2 - type: array - items: - type: object - properties: - field: - type: string - example: my.field - comparator: - type: string - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - value: - oneOf: - - type: number - example: 42 - - type: string - example: value - count: - type: object - properties: - comparator: - type: string - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - value: - type: number - example: 100 - timeSize: - type: number - example: 6 - timeUnit: - type: string - enum: - - s - - m - - h - - d - logView: - type: object - properties: - logViewId: - type: string - type: - type: string - enum: - - log-view-reference - example: log-view-reference - groupBy: - type: array - items: - type: string - params_property_infra_metric_threshold: - properties: - criteria: - type: array - items: - oneOf: - - title: non count criterion - type: object - properties: - threshold: - type: array - items: - type: number - comparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - timeUnit: - type: string - timeSize: - type: number - warningThreshold: - type: array - items: - type: number - warningComparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - metric: - type: string - aggType: - type: string - enum: - - avg - - max - - min - - cardinality - - rate - - count - - sum - - p95 - - p99 - - custom - - title: count criterion - type: object - properties: - threshold: - type: array - items: - type: number - comparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - timeUnit: - type: string - timeSize: - type: number - warningThreshold: - type: array - items: - type: number - warningComparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - aggType: - type: string - enum: - - count - - title: custom criterion - type: object - properties: - threshold: - type: array - items: - type: number - comparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - timeUnit: - type: string - timeSize: - type: number - warningThreshold: - type: array - items: - type: number - warningComparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - aggType: - type: string - enum: - - custom - customMetric: - type: array - items: - oneOf: - - type: object - properties: - name: - type: string - aggType: - type: string - enum: - - avg - - sum - - max - - min - - cardinality - field: - type: string - - type: object - properties: - name: - type: string - aggType: - type: string - enum: - - count - filter: - type: string - equation: - type: string - label: - type: string - groupBy: - oneOf: - - type: string - - type: array - items: - type: string - filterQuery: - type: string - sourceId: - type: string - alertOnNoData: - type: boolean - alertOnGroupDisappear: - type: boolean - params_property_slo_burn_rate: - properties: - sloId: - description: The SLO identifier used by the rule - type: string - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - burnRateThreshold: - description: The burn rate threshold used to trigger the alert - type: number - example: 14.4 - maxBurnRateThreshold: - description: The maximum burn rate threshold value defined by the SLO error budget - type: number - example: 168 - longWindow: - description: The duration of the long window used to compute the burn rate - type: object - properties: - value: - description: The duration value - type: number - example: 6 - unit: - description: The duration unit - type: string - example: h - shortWindow: - description: The duration of the short window used to compute the burn rate - type: object - properties: - value: - description: The duration value - type: number - example: 30 - unit: - description: The duration unit - type: string - example: m - params_property_synthetics_uptime_tls: - properties: - search: - type: string - certExpirationThreshold: - type: number - certAgeThreshold: - type: number - params_property_synthetics_monitor_status: - required: - - numTimes - - shouldCheckStatus - - shouldCheckAvailability - properties: - availability: - type: object - properties: - range: - type: number - rangeUnit: - type: string - threshold: - type: string - filters: - oneOf: - - type: string - - type: object - deprecated: true - properties: - monitor.type: - type: array - items: - type: string - observer.geo.name: - type: array - items: - type: string - tags: - type: array - items: - type: string - url.port: - type: array - items: - type: string - locations: - deprecated: true - type: array - items: - type: string - numTimes: - type: number - search: - type: string - shouldCheckStatus: - type: boolean - shouldCheckAvailability: - type: boolean - timerangeCount: - type: number - timerangeUnit: - type: string - timerange: - deprecated: true - type: object - properties: - from: - type: string - to: - type: string - version: - type: number - isAutoGenerated: - type: boolean securitySchemes: apiKeyAuth: - description: | - These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey` + description: > + These APIs use key-based authentication. You must create an API key and + use the encoded value in the request header. For example: + `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey basicAuth: scheme: basic type: http -x-topics: - - title: Kibana spaces - content: | - Spaces enable you to organize your dashboards and other saved objects into meaningful categories. - You can use the default space or create your own spaces. +security: + - apiKeyAuth: [] + - basicAuth: [] +tags: + - name: alerting + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: > + Configure APM agent keys to authorize requests from APM agents to the APM + Server. + name: APM agent keys + - description: > + Annotate visualizations in the APM app with significant events. + Annotations enable you to easily see how events are impacting the + performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - description: Configure APM source maps. + name: APM sourcemaps + - description: Case APIs enable you to open and track issues. + name: cases + - name: connectors + - name: Dashboards + - description: >- + Data view APIs enable you to manage data views, formerly known as Kibana + index patterns. + name: data views + - description: > + Programmatically integrate with Logstash configuration management. + + > warn + + > Do not directly access the `.logstash` index. The structure of the + `.logstash` index is subject to change, which could cause your integration + to break. Instead, use the Logstash configuration management APIs. + externalDocs: + description: Centralized pipeline management + url: >- + https://www.elastic.co/guide/en/logstash/current/logstash-centralized-pipeline-management.html + name: logstash + x-displayName: Logstash configuration management + - description: Machine learning + name: ml + - name: roles + - description: > + Export sets of saved objects that you want to import into Kibana, resolve + import errors, and rotate an encryption key for encrypted saved objects + with the saved objects APIs. + + + To manage a specific type of saved object, use the corresponding APIs. + + For example, use: + + + * [Data views](../group/endpoint-data-views) + + * [Spaces](https://www.elastic.co/guide/en/kibana/current/spaces-api.html) + + * [Short + URLs](https://www.elastic.co/guide/en/kibana/current/short-urls-api.html) + + + Warning: Do not write documents directly to the `.kibana` index. When you + write directly to the `.kibana` index, the data becomes corrupted and + permanently breaks future Kibana versions. + name: saved objects + x-displayName: Saved objects + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: > + Use the detections APIs to create and manage detection rules. Detection + rules search events and external alerts sent to Elastic Security and + generate detection alerts from any hits. Alerts are displayed on the + **Alerts** page and can be assigned and triaged, using the alert status to + mark them as open, closed, or acknowledged. + + + This API supports both key-based authentication and basic authentication. + + + To use key-based authentication, create an API key, then specify the key + in the header of your API calls. + + + To use basic authentication, provide a username and password; this + automatically creates an API key that matches the current user’s + privileges. + + + In both cases, the API key is subsequently used for authorization when the + rule runs. + + > warn + + > If the API key used for authorization has different privileges than the + key that created or most recently updated a rule, the rule behavior might + change. + + + > If the API key that created a rule is deleted, or the user that created + the rule becomes inactive, the rule will stop running. + + + To create and run rules, the user must meet specific requirements for the + Kibana space. Refer to the [Detections + requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) + for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: >- + Endpoint Exceptions API allows you to manage detection rule endpoint + exceptions to prevent a rule from generating an alert from incoming events + even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: '' + name: Security Entity Analytics API + x-displayName: Security entity analytics + - description: > + Exceptions are associated with detection and endpoint rules, and are used + to prevent a rule from generating an alert from incoming events, even when + the rule's other criteria are met. They can help reduce the number of + false positives and prevent trusted processes and network activity from + generating unnecessary alerts. + + + Exceptions are made up of: + + + * **Exception containers**: A container for related exceptions. Generally, + a single exception container contains all the exception items relevant for + a subset of rules. For example, a container can be used to group together + network-related exceptions that are relevant for a large number of network + rules. The container can then be associated with all the relevant rules. + + * **Exception items**: The query (fields, values, and logic) used to + prevent rules from generating alerts. When an exception item's query + evaluates to `true`, the rule does not generate an alert. + + + For detection rules, you can also use lists to define rule exceptions. A + list holds multiple values of the same Elasticsearch data type, such as IP + addresses. These values are used to determine when an exception prevents + an alert from being generated. + + > info + + > You cannot use lists with endpoint rule exceptions. + + + > info + + > Only exception containers can be associated with rules. You cannot + directly associate an exception item or a list container with a rule. To + use list exceptions, create an exception item that references the relevant + list container. + + + ## Exceptions requirements + + + Before you can start working with exceptions that use value lists, you + must create the `.lists` and `.items` data streams for the relevant Kibana + space. To do this, use the [Create list data + streams](../operation/operation-createlistindex) endpoint. Once these data + streams are created, your role needs privileges to manage rules. For a + complete list of requirements, refer to [Enable and access + detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: > + Lists can be used with detection rule exceptions to define values that + prevent a rule from generating alerts. + + + Lists are made up of: + + + * **List containers**: A container for values of the same Elasticsearch + data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception + prevents an alert from being generated. + + + All list items in the same list container must be of the same data type, + and each item defines a single value. For example, an IP list container + named `internal-ip-addresses-southport` contains five items, where each + item defines one internal IP address: + + 1. `192.168.1.1` + + 2. `192.168.1.3` + + 3. `192.168.1.18` + + 4. `192.168.1.12` + + 5. `192.168.1.7` + + + To use these IP addresses as values for defining rule exceptions, use the + Security exceptions API to [create an exception list + item](../operation/operation-createexceptionlistitem) that references the + `internal-ip-addresses-southport` list. + + > info + + > Lists cannot be added directly to rules, nor do they define the + operators used to determine when exceptions are applied (`is in list`, `is + not in list`). Use an exception item to define the operator and associate + it with an [exception + container](../operation/operation-createexceptionlist). You can then add + the exception container to a rule's `exceptions_list` object. - To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. - For example: - ``` - curl -X GET "http://localhost:5601/s/marketing/api/data_views" - ``` + ## Lists requirements - If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - To learn more, check out [Spaces](https://www.elastic.co/guide/en/kibana/8.x/xpack-spaces.html). + Before you can start using lists, you must create the `.lists` and + `.items` data streams for the relevant Kibana space. To do this, use the + [Create list data streams](../operation/operation-createlistindex) + endpoint. Once these data streams are created, your role needs privileges + to manage rules. Refer to [Enable and access + detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) + for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: Manage Kibana short URLs. + name: short url + x-displayName: Short URLs + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + - name: spaces + - name: synthetics + - name: system + - externalDocs: + description: Task manager + url: >- + https://www.elastic.co/guide/en/kibana/current/task-manager-production-considerations.html + name: task manager + x-displayName: Task manager + - description: >- + Check the upgrade status of your Elasticsearch cluster and reindex indices + that were created in the previous major version. The assistant helps you + prepare for the next major version of Elasticsearch. + name: upgrade + x-displayName: Upgrade assistant + - externalDocs: + description: Uptime monitoring + url: https://www.elastic.co/guide/en/observability/current/uptime-intro.html + name: uptime + x-displayName: Uptime + - name: user session + x-displayName: User session management diff --git a/x-pack/platform/plugins/shared/fleet/common/experimental_features.ts b/x-pack/platform/plugins/shared/fleet/common/experimental_features.ts index 19f7289462c13..e9d9cc269ac5a 100644 --- a/x-pack/platform/plugins/shared/fleet/common/experimental_features.ts +++ b/x-pack/platform/plugins/shared/fleet/common/experimental_features.ts @@ -24,9 +24,21 @@ const _allowedExperimentalValues = { subfeaturePrivileges: true, advancedPolicySettings: true, useSpaceAwareness: false, +<<<<<<< HEAD enableReusableIntegrationPolicies: true, asyncDeployPolicies: true, enableExportCSV: true, +||||||| parent of 18b0dc11cad ([Fleet] enable feature flag `enableAutomaticAgentUpgrades` (#219932)) + enableAutomaticAgentUpgrades: false, + enableSyncIntegrationsOnRemote: false, + enableSSLSecrets: false, + installedIntegrationsTabularUI: false, +======= + enableAutomaticAgentUpgrades: true, + enableSyncIntegrationsOnRemote: false, + enableSSLSecrets: false, + installedIntegrationsTabularUI: false, +>>>>>>> 18b0dc11cad ([Fleet] enable feature flag `enableAutomaticAgentUpgrades` (#219932)) enabledUpgradeAgentlessDeploymentsTask: false, enableAutomaticAgentUpgrades: false, };